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From the Editor 


m Ve seen a number of references over the last few weeks where longtime Apple techs have 
m been posting just how long they’ve been working with Apple tech, tl OS X was the future 
m when I started working with Mac OS,” “Cocoa didn’t exist when J became a Mac 
developer." There was no iPhone when I started with Apple technology ” Some people have 
really hung on through some exciting, but doubtful times. The doubt is Largely out of the way, 
but the excitement is certainly still present. With Lion now just about out (and may be by the 
time this issue shows up in your mailbox), updates to iOS coming along and better developer 
tools, with Apple, the hits keep coming. You 11 find out more about the excitement from 
WWDC 2011 in my wrap-up article in this month's Issue. 

It's also an exciting time to be part of the Apple community due to all of the activity in terms 
of ways to meet your peers in the community. From the Apple’s Consultants Network to 
CocoaHeads and NSCoder to independent conferences, you can get involved. This includes 
MacTech’s own MacTech Conference, taking place from November 24 this year in Los Angeles. 
We’re still open to hearing form people looking to speak. If you’re interested in either speaking 
or attending, visit http://www.mactech.com/conference for more information. We have some 
great speakers and topics lined up already and it looks like another great time is in store. 

The excitement in the form of this month's issue comes in several forms. First, our cover 
story talks about ways to tame automatic updaters from taking over your system(s). Greg Neagle 
leads you through many of the popular products on the Mac that like to update themselves, 
oftentimes against a Sys Admin’s wishes. 

This month's Mac in the Shell column follows up from last month’s column and walks 
through the details of the Ruby code that powers the logs application we started. In Developer 
to Developer, Boisy Pitre finishes off his instructional series on writing a Preference Pane (with 
source available!). 

Jose Cruz leads us through more of the evolution of AppleScript with Binding with 
AppieScriptObjC. Mihails Tsoukalos is back with some further instruction on using Wireshark. 
Wtreshark is an amazing network utility of use to anyone that has a device that communicates 
over a network (yes T that's everyone). 

Finally, this month’s MacTech Spotlight focuses on Kirill Luzanov, founder of and developer 
for Binary Fruit. Just looking at Binary Fruit’s first application, Disk Radar, gives me the feeling 
Lhal we’re going to see many interesting apps coming from the direction of Kirill Luznnov. For 
more or Kirill, check out the MacTech Spotlight. 

Thanks again for being a MacTech subscriber. As always, we love to hear feedback from you 
on what you like, whaL you'd like to see and what may not be working so well for you. Send us 
letters at,. Jetters@mactech,com. Hope to hear from you, and even better, see you at MacTech 
Conference.. 


Ed Marczak, 
Executive Editor 
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WWDC Wrap Up 



This year’s Apple World Wide Developer Conference is just 
behind us as 1 write this. 2011 marked some significant firsts, and 
the event was exciting, stimulating and fun. The contents of the 
conference, aside from the keynote, are under non-disclosure, 
but there is still plenty to talk about. What took place this year? 

The conference ran from June S^ 1 through the lO^ 1 There’s 
probably no better place to start than the keynote, as it takes 
place on Monday, and is what kicks off the week. (Although, 
there are usually gatherings in the days prior, as you'll find a 
critical mass of people in town.) Steve Jobs took the stage to a 
standing ovation. Despite Jobs’ apparent weak condition, die 
energy of the crowd is what really set the pace for the keynote. 
During the Keynote, 3 main topics w-ere covered; Lion, iOS 5 and 
iCioud. As is typical for an Apple keynote, Steve Jobs covered the 
numbers: how much in sales, how many attendees and how fast 
the event sold out. (If you watch the keynote—which I 
encourage you to do at http://www.apple.com/apple-events/wwdc- 
201 ]/— you’ll hear Steve mention that the event sold out in two 
hours, While this is a bit of revisionist history, the event still did 
sail out in about 8 hours—certainly less than 1 day). WWDC 
selling out of all 5,000+ tickets in under a day is a first. It certainly 
left some well-respected developers and long-time attendees in 
the lurch. If you weren't ready to pounce and provide credit card 
info the moment the conference was announced, you were 
mostly out of luck. This also led to a grey market of tickets being 
sold on eBay, Craig’s List and the 
like. Jobs referred to this during 
the keynote and said, “this is the 
biggest place we can get! 11 Not a 
solution, but it’s really the best 
way Apple can serve the 

community. If the event gets too 
large, people get lost in the 
shuffle, can t gel into sessions, can’t see an Apple Engineer and 
so on. That would make for a much worse event. With that said, 
people will be ready for next year, making it even more difficult 
to get a ticket. Additionally, unless some protection is put in 
place, there w ill be people that aim to buy tickets just to sell at 
a profit. 

Lion 

After jobs' introduction, lie handed the stage over to Phil 
Schiller, who introduced OS X Lion. (It was notable that there 


were plenty of references to “OS X’’ without “Mac” prepended to 
it, As the author of an official Apple reference guide, I can tell 
you that they were very particular about this at one point,) 
Unlike the launch of Snow Leopard, which featured, ‘no new 
user facing elements/ Lion is a tour-de-force on both the GUI and 
under-the-hood change. The GUI changes are refinements, 
inspired by iOS. More important is what Lion brings to 
developers. New APIs, improved APIs and updates to Objective- 
C. The most notable improvement is called Automatic Reference 
Counting, or “ARC”. ARC takes the job of memory management 
away from the developer and lets the compiler handle it— 
certainly a first for a C-based language, (The technical 
specification for ARC was released as 1 was about to submit this 
article. If you’re interested in the nitty-gritty, you can find it on 
the LLVM site here: 

h ftp : //da n g . 11 v m . arg /docs/Au iomatrc Referen ceCoun N ng. htm I) 
Wtl Shipley of Delicious Monster shared with me, “[i]n 
particular I’m excited by the announcement of Auto Retain 
Counting (ARC), which is a very low-level technology that is 
really only interesting to developers, but essentially allows us to 
code a lot faster while at the same time avoiding the most 
common kinds of errors we make. We’ve committed to only 

release code under ARC] from 
now on, and have already 
ported our projects-in-progress 
to it.” (That was fast, rightf) ARC 
is compelling enough that this 
desire to move to it quickly is 
rellected in comments from 
many developers that I spoke 
with, interestingly ARC is not a Lion-only technology: developers 
can use ARC and target both Lion (10.7) and Snow^ Leopard 
(10.6), along with iOS 5 and 4, (Although, running under Snow 
Leopard and iOS 4 come with a caveat or two.) 

This is exciting on a few r levels. Not the least of which are 
tiie optimizations gained by managing memory via ARC, and 
changing to the Clang front end and the LLVM compiler. This 
allows for speed increases nearly everywhere. Apple may have 
the only computers in the industry that have been getting faster 
over time. The earliest Core2Duo machines, which ran 10,5 got 
a speed boost when they moved to 10.6, and will once again get 


"We’ve committed to only release code 
under ARC from now on. and have already 
ported our project$-in-progress to it." 
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a l>OGSt when moving to 10.7, particularly once the apps on the 
machine are compiled specifically for 107. Think about the 
contrast to Windows, here, where each new version of the OS 
almost demands that you 
purchase a new r hardware 
component, if not an entire new 
machine. Of course, 10.7 will 
leave some older Mac models in 
the past: Lion will require a 
Core2Duo processor or better 

iOS 5 


After discussing Lion, Phil 
Schiller handed keynote responsibilities to Scott Forstali, who 
spoke about iOS 5< While iOS 5 will benefit from the Objective- 
C language and compiler improvements mentioned with Lion, 
the next version of iOS also brings many visual and workflow 
improvements. One of the most notable is the improvement to 
the out of the box experience. No longer will you be greeted 
with a “Connect to iTunes” message upon unl>oxing. Rather, 
youll see a “Welcome” screen, allowing you to use the device 
immediately. Steve Jobs said that if we truly expea to enter die 
“post-PC” era, we couldn’t continue to have such a dependency 
on PCs. Another notable interface-lift is the Android-like 
notification system: notifications are collected in a notification 
area, exposed by sliding your finger from the top of the screen 
down. Each notification can be acknowledged individually, 
without dismissing other pending notifications. 


We also will see the volume button turn into a shutter button 
in locked mode, allowing pictures to be taken quickly, before the 
moment has passed. Apple is also adding GPS-enabled 

notifications, allowing you to set 
a reminder when you enter or 
exit a particular area. How well 
that works vs. false positives 
and late triggers remains to be 
seen. 

Despite ail of the UI 
changes and improvements, 
people that I spoke with were 
still much more excited by the 
technology under the hood. 
Patrick McCarron, an iOS developer told me, Tm looking at 
making future updates to existing apps where I’ll be able to 
actually delete old code due to Apple adding better ways to do 
things that weVe had to do ourselves until now," 

iCloud 

Finally, Steve Jobs took the stage again and introduced 
iCloud. Apple’s solution for syncing documents between all of 
your Mac OS X and iOS devices. In reality, ICloud is an umbrella- 
term for several technologies. In one sense, iCloud is a sync 
engine, performing some of the syncing that you’re already used 
to with Mobile Me: contact and calendar syncing. In addition, 
youll now be able to sync documents between devices. 

As many expected, iCloud was announced to also have a 
music component. Here, iCloud turns into a licensing engine: 


Think about the contrast to Windows, 
here, where each new version off the OS 
almost demands that you purchase 
a new hardware component, if not 
an entire new machine.” 
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Apple already has all of this music on their servers—they 
certainly don't need you to upload it. Of course, Apple doesn't 
have every hit of music available. For any music that Apple 
doesn't have, there are two options. First, Apple is offering 
“iTunes Match." This service will scan your iTunes library and, for 
any music that Apple does have, it grants you a license and 
makes that music available from the cloud. Interestingly, you get 
Apple’s copy of the music. So, if you have a version that you 
encoded long ago, tTunes Match will upgrade 1 you: the version 
of this song now available to you will come as a 256k AAC file. 
The second option is to just 
upload your copy of the song. For 
example, if you’re a musician and 
have your own catalog—things 
Apple may not have—you can 
just upload it. 

During the Keynote, Steve 
Jobs announced that every iCIoud 
user would have 5GB of storage 
available for free. Apple is following the Amazon model here: 
Music purchased from Apple, or that from iTunes Match does not 
count against the 5GB of storage. (Why would it? Apple is already 
storing all of tills music.) Mentioning that each user gets 5GB for 
free .seems to imply that there will lx j some tiers of pricing that 
allows m increase to that storage. It wasn't mentioned at the 
Conference, nor was it made clear at the time of this writing what 
the pricing will be or, if this will \ >e even be the case at all One 
other looming question relates to photos: photos will sync to 
Apple’s cloud, but only remain for 30 days. This is a firs! in an odd 
way: no other cloud provider has 
ever made it clear that your data is 
perishable. Sieve Jobs said that, “30 
days is enough time to sync to 
your devices.” Tm not sure it is in 
all cases, and again, we lt see if 
there's some price-point that 
allows one to override that default. 

iCIoud is certainly something long awaited by developers 
and end-users alike. I'd say that Apple is actually catching up in 
this space just a bit. After attempts such as [Tools, dot Mac and 
Mobile Me, it seems like they finally have their fooling. Justin 
Williams of Second Gear said, ”1 have cautious optimism for the 
promise of iCIoud, but Apple's past track record with web 
services like MobileMe and Mac causes me to tether that 
optimism slightly. If it is indeed fast and reliable, I have no doubt 
that ii will become an integral part of many of die first and third- 
party apps we use on a daily basis” During the Keynote. Steve 
jobs said that, “if you think we’re not serious about this, you’re 
wrong He went on to show a bit of Apple’s newest data center, 
mention that it is capable, energy efficient and ’ green” in all 
possible ways. 

Apple’s vision here is a little different from everyone else in 
the industry' at the moment. As I mentioned earlier, iCIoud is 
actually composed of several pans, but overall is a sync engine 
for data, and a licensing service for music (and no mention was 
made for video in the cloud). This relies on native applications 


running on each device (Unlike Amazon and Google’s music 
services, Apple doesn’t seem to allow streaming of your music— 
you’ll need to download it to listen). Naturally, the devices in 
question are iOS devices and Macintosh computers. Apple also 
did not indicate that there would l>e a web view into your storage 
in the cloud (think Dropbox here). Also not mentioned, and still 
unanswered, are the fate of iDisk and iWeb. Will there be an 
iDisk-like solution offered? What will become of people’s Mobile 
Me websites and photo galleries? Apple has roughly a year to 
figure it out, announce it and make the switch, as the cutover 

looks to be targeted at June 

30 th , 2012 . 

The Wrap Up 

I’ve been mentioning 'firsts’ 
throughout this article, and the 
final first that I’ll mention was 
simply Apple’s attitude: clearly 
no longer an underdog, Apple’s confidence was clear No longer 
taking pot-shots at Windows or other platforms, Apple knows 
that the world at large has recognized their work, 

Wil Shipley told me that, “[i]n terms of exciting new 
technologies, this was the best WWDC in ten years for me,” 1 
would wholeheartedly agree. The advancements in the Objective- 
C language and tools are really compelling, the updates to iOS are 
truly useful and iCIoud is certain to spawn new breeds of 
applications on the platform. Apple may seem like a large 
company, but it does have finite resources. Release dates have 

been shifted back in time as 
Engineers needed to move from 
one platform to another. Now, 
however, with iOH concepts 
being brought to the Mac amt 
Mac development conventions 
being brought to iOS, it really 
seems that Engineering 
resources are working together. Indeed, Daniel JaUcut of Red 
Sweater Software said, "It feels like Apple’s plans are all coming 
together, Sometimes their product and developer-tod designs 
seem to be a bit haphazard, but so many of them are starting to 
pay dividends that I think we’ll see an exciting couple of years,” 
A unified team only allows Apple to perform better and 
more efficiently. That’s good for all of us, and I’m excited to see 
what not only Lion brings us, but operating systems past that, 
too, 

i T Ai 
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Mac in the Shell _ 

by Edward Marczak 

# Actually collect the logs 

dir = Dir.mktmpdir 
begin 

puts "Copying #{togpaths} to #{dir>" 
FileUti!s.cp_r togpaths, dir 


Ruby and 
the GUI, Part 2 

Adding a real Cocoa GUI 
^to a MacRuby application 


Introduction 

Last month, we liegan creating a GUI-based MacRuby 
application: The Collector. This application goes off to collect log 
files, put them on a disk image and drop the .ding file on the 
current User's desktop for ease of retrieval. We ve only covered 
the creation of the GUI itself so far This month, well finish up 
the code. 


puts "Sampling system.log" 

and = "syslog > #{dir}/system.log” 

%x [#{cmd>] 

# Put logs an disk image 

time = Time.now.to_i 
and = "hdiutil create -srcfolder #{dir> 
#{BVIV [' HOME r J }/Desktop/Logs^{t ime}. dmg" 
puts "Running #{cmd}" 

%x[#{cmd>l 

status_end - "Complete" 
rescue 

puts "Can't read log file." 
status_end = "Error - see logs" 
ensure 

# remove the directory. 

FileUtils.remove_entry_secure dir 
end 

4 Reset the UI 
collect.setEnabledt true) 

5tatus_label.stringValue = status_end 

spinner.stopAnimation(;spinner) 


Restoring The Project 

The full project is on the MacTedi ftp site. You can certainly 
download it in order to follow along, however, I encourage you 
to type it in yourself. This gets you engaged in a way that simply 
downloading the code does not 

Last month, we left our collectLogs method with one line: 

def collectLogs(sender) 
puts "Running the CQllectlogs method" 
end 


Tills is now pure Ruby that gets to interact with Cocoa and 
the objects created via Interface Builder Lulls step through it all a 
tew lines at a time. 

# Collect logs 

togpaths = W( #1ENV [ 'HOME p ] >/Lib ra ry/Log 5) 

Here, we simply define the directory path of logs-—either an 
individual log file or a directory of logs—to collect. In tills case, 
we re only specifying one entry: die logs in die current user’s 
home. (There's a reason for litis that well get to later on.) 

# Set up UI 

collect.setEnabled[false) 


This certainly helped illustrate when the method got called, 
but it falls short of reaching our goal. This month, well fill that in. 
Load up your previous Xaxle project, and dick on the 
AppDeiegate file in the project navigator Add the code in Listing 
1 to the collectLogs method, and then well step through it. 
Listing 1: A ivorking collectLogs method 
def collectings)sender) 

# Collect logs 

logpaths = %W(#{ENV ['HOME']}/Libra ry/Logs) 

# Set up UI 

collect.setEnabled( false) 

5tatus_label.stringValue - "Collecting..." 
status_t3bel. hidden = false 

spinner. startAnitnationh spinner) 


Since this method is getting called when die user dicks the 
"Collect" button, we don’t want repeated presses of that button to 
do anything, so we disable it. This Ruby method call, by the way, 
is equivalent to [ collect setEnabled: NO ]; in Objective-C 

status Jlabel.st ringValue = "Collecting..." 
status_label.hidden = false 

spinner. startAnimationi:spinner) _ 

These three lines are letting the user know what's going on. First, 
the status label gets its text set to “Collecting,*.” and becomes 
visible (its hidden attribute is .set to false). Then, we start the 
spinner’s animation. Next up is the heart of the action. 
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# Actually collect the logs 

dir = Dir.mktmpdir 

begin 

We start out with a temp directory made with the mktmpdir 
method. This is important from a security perspective. If we chcxse 
a static, known path. like /tmp/collector, anyone could drop 
anything they want in that directory and have it included with our 
disk image. 

After that, we open a begin block to have control over error 
trapping (with the rescue clause further on), 

puts "Copying #{logpaths} to #{dir}" 

FileUtils.cp_r logpaths, dir 

puts "Sampling system,log" 

The two puts commands are just easy ways of getting information 
into the system log. Tills is useful for tuning and diagnostic 
purposes. The important line here is the cp_r method in the 
FileUtils library. cp_r recursively copies a directory, or, copies a 
single file, depending on the source, 

cmd = "syslog > #{dir}/system.log" 

%x[#{omd}j 

Tills is a little bit of a trick. Rather than copy the system log itself— 
which wc can't, as were not authorized—we use the syslog 


command to dump a portion of the log into our temporary 
directory. If you don't recall, %x is Ruby's way of running a shell 
command, (If you haven't seen the syslog command, use it once, 
and then look at the man page,) 

# Put logs on disk image 

time - Time.now.to_i 

cmd = "hdiutil create -srcfolder #{dir} 

#{ENV [ x HOME J ]}/Desktop/Logs-#{time}.drag" 
puts "Running #{cmd}" 

%x[#{cmd>] 

status_end - "Complete” 


Again, we use %x to shell out and run a command. In this case, 
hdiutil to create a disk image from our temporary directory. 
We use ENV [' HOME 1 ] to find the current user’s home directory 
and Desktop, This is where we drop the final disk image. Notice 
that we set a variable for what we want the status message to be— 
it reflects success of the whole block. 


rescue 

puts "Can’t read log file." 
status_end - "Error - see logs" 

This rescue block fires off if something goes wrong. Again, 
we set the status_end variable appropriately. 

ensure 

# remove the directory. 
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FileUtils.remove_entry_secjre dir 
end 

No matter which path we take—the intended path, or the 
rescue path—the ensure block runs. We always want to get rid of 
tlie temporary directory we created. 

# Reset the UI 
collect.setEiabled(t rue) 

status_label.stringValue - status_end 

spinner.stopAnimation{:spinner) 
end 

Finally, we perform actions tliat reset the GUI: re-enable die 
Collect’ button, set die status_label to die success or failure 
message as appropriate (contained in die status_end variable) 
and we stop the spinner. Tlie method dien formally ends. 

After all of that has run, the app is ready to listen for its next 
action: collect logs again, or quit. 

Conclusion 

Once again, we covered a good amount of ground this 
month. Hopefully, this makes using MacRuby to create Mac OS X 
applications a bit dearer to you. I'll be creating more in upcoming 


columns, too—practical projects that have been inspired by 
questions from people with real Issues to solve, but not quite 
knowing how to solve them. Let's solve these issues together. 

Media of the month: Inception. FU admit to being a bit 
obsessed with this movie, so, Fm recommending the movie, the 
soundtrack, the bonus features. . .the lot If you haven't seen it, get 
to it! If you saw it in the theatre, it’s worth another look. It's 
available on DVT), Blu-Ray, in dunes and via NetflLx, so, it's really 
available —in nearly any Form you wish. 

1 hope you've gotten your ticket to MacTech Conference 
2011, as everything is in order for another great event. Better yet, 
be a speaker! WeTe still accepting submissions for speakers at 
h ftp://www. mo dec h .com /co nfere nee/speo ke rs-a pp. Visit 

http://www.mactech,com/conference for more information about 
the conference in general and to purchase tickets. Hope to see 
you in Los Angeles! 

; T iti 
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Developer 

by Boisy G. Pitre 



the value is modified within the context of Lhe preference 
pane’s preferences file. 


No Pane, No Gain 
Part 2 

Expanding our 
Preference Pane plug-in 

with Authorization Services 

^ _ / 


Introduction 

Hello and welcome back to Developer to Developer 
column. If you followed last month's article* you’ll recall Lhat 
we delved into the creation of a preference pane plug-in for 
Lhe System Preferences application on OS X* We went so far 
as to build the actual preference pane plug-tn itself, and then 
launched it in System Preferences, This month. w r ere going 
to add security to our plug-in. as well as take a trip through 
the debugger to see exactly how a preference pane plug-in is 
debugged. 

Expanding Our Preference Pane 

Recall that last month w r e had a single button on our 
preference pane plug-in, When this button was clicked, it 
launched a browser to the website of our favorite magazine* 
It was a simple, but effective w r ay to demonstrate control 
behavior in a preference pane. Well expand the pane a bit 
this month to include a checkbox which will, when checked, 
direct us to the login page of the MacTech website. Of 
course, the Xcode project for this new r and expanded version 
of the preference pane is downloadable from the MacTech 
website, so go ahead and grab it. 

Open the Xcode project and double dick on the 
DZDPref.xib file that will load up Interface Builder, Note the 
presence of the aforementioned checkbox above our now 
familiar MacTech button. 

The state of the button is actually saved in our preference 
pane s preferences file, and uses Cocoa bindings to maintain 
the value. Note in Figure 1 that our burtons value is bound 
to the goToLog inPage key, which itself is part of the shared 
user defaults system. As the box is checked and unchecked, 
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r - 
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Figure l.The Button Binding in the Interface Builder Inspector 


Security and Authorization 

Since preference pane plug-ins are system-wide 
configuration interfaces, it is often necessary for them to 
touch or modify files that are outside of the normal user's 
purview* Apple provides several frameworks, including 
Security, framework and Security Interface, framework, which 
allow components like preference pane plug-ins the access 
they need for such privileged operations. In our simple, 
contrived example, we aren't in need of authorization 
services, but well utilize it to some degree in our plug-in 
because of its obvious benefits (and likely usage in your 
applications)* 

For now. go back to Xcode and build the preference pane 
plug-in* then double click the D2D,prefPane file under the 
Products folder on the Xcode sidebar* This action should 
trigger System Preferences to start up, copy the preference 
pane plug-in then invoke it. You should see a window with 
the buttons and a padlock. Notice how the buttons are 
currently disabled and non-selectable. Click on the padlock 
and type in your password (note that you w ill need to provide 
credentials from an administrator account in order for this to 
work). Upon authorization, the padlock changes to the 
unlocked position and you can interact with the buttons. 
Clicking on the unlocked padlock will re-lock everything, and 
die buttons will once again return to an unenabled state. 
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Figure 2.The Plug-in in the Locked State 


Now that we've demonstrated how authorization works, 
let’s take a closer look at the implementation details. 

With D2DPref.xih still loaded in Interface Builder, take a 
look at the preference pane window and notice view in the 
lower area titled "SFAuthorizationView.“ This view contains 
nur padlock and text, and is connected to the D2DPref 
(represented by the File’s Owner object) via the authView 
outlet The D2DPref class will use this outlet in order to 
obtain information about the state of the authorization. 

Click on each of the buttons and examine the bindings in 
the Inspector pane. As indicated above, the value of the 
checkbox button is tied to the goToLoginPage key, which 
is part of the user defaults. Furthermore, the Enabled 
property of the button is tied to a variable called unlock 
which is part of the DZDFref class (again, represented by 
File's Owner). This variable will be the key to providing users 
access upon successful authorization. 

Moving back to Xcode t lets take a look at the code and 
how it ties into our XIB file. 

In our D2DPref m file, we've expanded our 
mainVtewDidLoad method from lasL month quite a bit. Using 
the Authorization framework, we setup our rights, which will 
allow us to interact with the authorization view and unlock. 
We then set our self as the delegate to the authorization view. 

Accessor methods exist to allow us to obtain and set the 
Boolean value unlocked. Finally, two SFAuthorization 
delegate methods exist which are called when we are 
authorized and deauthorized, setting and unsetting the 
unlock variable respectively. Recall that our buttons’ 
enabled statuses are tied to this very Boolean via bindings, so 
the act of modifying the unlocked variable causes the 
buttons to be enabled and disabled automatically. 

Debugging the Preference 
Pane Plug-in 

Debugging a preference pane plug-in is not as 
straightforward as debugging an application. This is precisely 
because the plug-in itself cannot run; it needs a container 
application to load it an active it. That container, of course, 
is the System Preferences application. 
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In order to debug the plug-in, we need to add a custom 
executable in Xcode and make that our target. To do this, 
locate the Executables tab in the Xcode pane, right dick it 
then select Add > New Custom Executable.*, 

A window will appear where you can type the 
Executable Name and an Executable Path. Click the Choose... 
button and navigate to /Applications/System Preferences, 
making that your executable; 
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Figure 3 The Custom Executable Configuration Window 


Now, we need to ensure that the preference pane plug-in 
we want to debug is located in either the 
/System/ Library/P re ferencePanes folder or the 

Library/PreferencePanes folder in our home directory. Recall 
that when we double click our D2D.prefPane product from 
Xcode, System Preferences launches and performs the copy at 
that time. This is the quickest way to ensure that our 
preference pane plug-in is in the right spot for debugging. Go 
ahead and do that now. 

Once System Preferences has launched, quit it 
immediately since it has performed its job and copied our 
plug-in to the correct place. Now, from within Xcode, ensure 
that our custom executable is indeed the active executable. 
Set your breakpoint on the first executable line in the 
mainViewDidLoad method, then perform a Build and 
Debug from the Xcode Build menu. This action will launch 
System Preferences. You will have to then click on the D2D 
icon to invoke your plug-in, but as soon as you do, the 
breakpoint will trigger and you will find yourself in Xcode, 
From there, you can perform full analysis on variables, step 
through the code, and watch the preference pane plug-in in 
action. 

Things To Watch For 

A big mistake that people make when debugging a 
preference pane plug-in is that they make a change to the 
plug-in, re-build, then immediately invoke the debugger. 
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Remember, before debugging the plug-in, it must be copied 
into either one of the two directories where preference pane 
plug-ins reside. Without performing this step, you are 
essentially debugging the previous version of the plug-in, not 
the one just compiled. That is why we went through the extra 
step of double clicking the preference pane plug-in from 
within Xcode's Product folder to ensure that our most recently 
compiled version was copied over. 

AJso, ensure that your plug-in is not running when 
invoking the debugger. You can either quit System 
Preferences entirely, as it will simply be relaunched w'hen you 
invoke the debugger. 

Summary 

From controls to security to a ready-to-go Xcode project, 
you now have all of the tools to build your very own System 
Preferences plug-in. We touched on the authorization 
framework and how we can configure our controls to respond 
to the unlocking and locking of the authorization view for 
security purposes. Finally, we took a quick run through the 
debugger and mentioned some issues that can come into play 
when we debug a plug-in. Hopefully this simple project can 
be a starting point for your own preference pane plug-ins in 
the future. There's also a lot more that we didn’t cover with 
Authorization Services, so check out the bibliography for 
additional references. 
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Taming Automatic Updaters 


Disabling application auto-updates 
for the enterprise environment 


by Greg Neagle, MacEnterprise.org 



MacEnterprise.org 

Mac OS X enterprise deployment project 


Introduction 

Last month’s column was aimed at application developers 
and discussed ways developers could make their software 
more “enterprise-friendly” One topic covered was that of 
auto-updaters. Here’s a recap of that topic: 

Many vendors have their applications check for their own 
updates. This is a great strategy for individual purchasers like 
home users, where the purchaser is the primary user and 
essentially the administrator for his or her own machine. Hut 
in an enterprise environment, applications that check for 
updates can be an annoyance. Bandwidth is wasted when one 
thousand copies of an application, all installed in a single 
company, go out to the Internet and retrieve one thousand 
copies of an update. Worse*, once they've downloaded an 
update, these applications might alert the user of the software 
and ask for administrative credentials that the user doesn’t 
have, Far these reasons, system administrators often want to 
turn off auto-update mechanisms for software they manage, 
especially if they have other methods of updating software for 
their organization. 

This month's column is once again aimed at systems 
administrators in large organizations. Auto-update 
mechanisms are becoming increasingly common, so managing 
the behavior of application auto-updaters is a growing 
problem For enterprise administrators, 

Microsoft Office 

Most enterprise deployments have to deal with Microsoft 
Office, Fortunately for the busy admin, Microsoft Office 2008 
and 2011 use the same auto-update mechanism. This 
mechanism is shared by some other Microsoft products, like 
Remote Desktop Connection 2. The updater is located at 

/Library/Application Support/Microsoft/ 
MAU2.0/Microsoft AutoUpdate,app. It uses standard 


Apple plist-style preferences, so it's easy to manage with MGX, 
Apple's preference management framework, if you are using 
MGX, you can use Workgroup Manager to import a 
com,microsoft,autoupdate2.plist file. Edit out every preference 
key except HowToCheck. which should be set to Manual It 
should look something like Figure 1. 


co m, m i croso ft, auto u pd ate 2 


New Key Delete 

Set Default Dt 


Type 

Value 

► Once 

dictionary 

amply 

▼ Often 

dictionary 

1 item 

HowToCheck 

airing 

; Manual 

► Always 

dictionary 

amply 



Done ) Revert 

Figure 1 - Disabling Microsoft Autoupdate via MCX 


Note that weTe managing the HowToCheck preference 
“Often.” Always doesn’t work with this application, so “Often" 
is the next best thing, and is sufficient in practice. If you'd like 
to turn off Microsoft AutoUpdate by default, but allow your 
users to turn it back on if they desire, manage this preference 
“Once.” 

What can you do if you aren't using MCX? Well, this might 
be a good reason to start using MCX! And you don’t need a 
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Mac OS X Server to implement MCX, either. See my prior 
columns on LocalMCX in the MacTech archives, or better yet, 
buy a copy of the Apress book Enterprise Mac Managed 
Preferences by Edward Marzcak and yours truly for a guide to 
Implementing MCX or LocalMCX. 

But if you really cant or don’t want to use MCX, you 
could probably get by with a script that runs at login (perhaps 
by using a launchd LaunchAgent) and does this: 

#l/bin/sh 

/use/bin/defaults write com,Microsoft.autoupdate2 
HowToCheck Manual 

The script has two lines - the “she-bang" line that lets the 
OS know that this is a shell script, and the defaults command, 
so watch the line wraps. You’d save this script somewhere like 
/Library/MyOrg /Scripts and create a LaunchAgent plist 
that looked something like this: 

<?xml version*"!,0" encoding=*UTF-8"7> 

<!DGCTYFE plist PUBLIC "-//Apple//DTD PLIST 1.0//EM" 

"http;//vwv.apple.com/DTDE/Propertylist■I,0.dtd"> 

(plist version^1.0") 

<dict> 

(key)Label(/key) 

(sTring)com.maetech * disableMAlK/string) 
<key>L±mitLosdToSessionType</key> 

(array) 

<string)Aqua(/st ring) 

(/array) 

(key >P rp g ramAr gurnet) t s < / key > 

(array) 

<string>/Library/MyOrg/Scripts/DiBableMAU</string> 

(/array) 

(key>RunAtLoad(/key) 

(true/) 

(key>KeepAlive</key) 

(false/) 

(/diet) 

(/plist) 


You would save this plist as 
/Library/LaunchAgents/conumactech.disableMAU 
* plist . Owner and group must be root and wheel, 
respectively, and the mode must be 644. If you do everything 
correctly, on each user login, the script will run and set the 
appropriate value in Microsoft AutoUpdate’s preferences. 


For more information 
and a special offer for 
MacTech readers, visit 


www.MaxEmail.com/MacTech 



Other applications using 
Defaults/MCX 

Sparkle (http://sparkle.andymaluschalt,org/) is a popular 
framework used in many applications to enable auto-updates. 
Applications that use the Sparkle framework all use the same 
preference keys to control update behavior. To disable auto¬ 
update checking for an application that uses the Sparkle 
framework, set SUEnableAutomaticChecks to false. 
Figure 2 shows an example in Workgroup Manager. 
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Figure 2 - Disabling auto-update for VLC 

The defaults version of this would be: 

defaults write org,videolan.vie SUEnableAutomaticChecks - 
bool FALSE 

Some other applications that use the Sparkle framework 
include: 

Adium 

BusyCal 

Colloquy 

CyberDuck 

Hulu Desktop 

MarsEdit 

NetNew r sWire 

Peri an 

Plex 

SubEthaEdit 
Suitcase Fusion 
TextMate 
Toast 

Still more 

There many are other applications whose auto-update 
behavior can be controlled in a similar manner As long as 
they have a preference to disable auto-updates that is stored 
in a plist in “/Library/Preferences, you should be able 
to manage it via MCX or defaults. A useful strategy is to 
turn off auto-updates in the application’s preferences, then 
examine the applications' preferences plist to determine 
which key and value is needed. 

Here are a few examples, I give the "defaults" version, but 
you should be able to easily translate these into MCX as well. 

iTunes 

defaults write disableCheckFortlpdates bool TRUE 


iWork 

defaults -currentHost write com,apple,iWork 
SFLDefaultsAutoUpdateCheck -bool FALSE 
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C-currentHost corresponds to "ByHost” managed 
preferences) 

iMovie 8 

defaults write coni, apple .IMovieS AutotlpgradeCheck -bool 
FALSE 

(I don’t have access to iMovie 9 r but it should be 
similar...) 

iDVD and iPhoto 

defaults write com.apple,iDVIl CbeckForUpdatea bool FALSE 
defaults write com.apple.iPhoto CheckForUpdates -bool FALSE 

iWeb 

defaults write com,apple + iWeb SFLDefaultsAutoUpdateCheck - 
bool FALSE 

GarageBand 

defaults write com.apple*garageband 

MFref#„NextUpgradeCheck -date 'Dec 31, 2100 12:00:00 PM T 

This just sets the date of the next check into the far future, 
since GarageBand doesn’t seem to have an explicit on/off 
switch for update checks. The inconsistency between the 
various iLife apps is surprising. 


Flip4Mae WMV 

This is a QuickTime plugin that allows QuickTime to play 
Windows Media files. 

defaults write net,telestream,wrav UpdateGheck_CheckInterval 
-int 9999 

OmniGroup applications 

defaults write com.omnigroup.OmniFocus 
AutamaticSoftvareUpdateCheckEnabled bool FALSE 
defaults read com.omnigroup. OmniPlan 
AutomaticSoftwarellpdateCheckEnabled -bool FALSE 
defaults read cdm*omnigroup,OmniOutlinerPro3 
AutomaticSoftwareUpdateCheckEnabied -bool FALSE 

(1 imagine this same key works for all of the OmniGroup 
applications, though l haven't personally tested them all.) 

TextWrangler and BBEdit 

defaults write com*barebonas4textwrangler 
FUSoftwareUpdateEnabled ■bool FALSE 

defaults write tout.barebatea.bbedit SUSoftwareUpdateEnabled 
-bool FALSE 


Google applications 

This includes Chrome, Google Earth and Google 
SketehlJp. 
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defaults write com.google.Keystone*Agent checklnterval 0 

See 

http://www. goog lexom/support/installer/bin/answer. py?ans 
wer=147176 for additional detail 

Other Third-Party Applications 

There are several popular third-party applications whose 
updaters cannot he managed via defaults or MCX since they 
do not store their preferences using Apple's preference plists. 
These require additional effort to disable, 

Adobe CS5 applications 

if you use the Adobe Application Manager, Enterprise 
Edition (AAMEE) to create Adobe C55 enterprise installation 
packages for your organization, you can disable the Adobe 
Updater by clicking a checkbox in AAMEE, But if you didn't 
do that, or are installing Adobe CS5 apps with some other 
method, it’s still possible to disable the Adobe Updater by 
creating a special file at /Library/Application 
Support/Adobe/AAMUpdaterInventory/I•0/AdobeU 
pdaterAdminPrefs.dat. Details are available at 
http://kb2.adobe.com/cps/850/cpsid_85016.html. 

Adobe CS3 and CS4 applications 

The Adobe Creative Suite 4 Deployment Toolkit can 
create CS4 installation 'packages" that suppress update 


checks. Adobe also documents how to disable updates when 
doing an enterprise deployment of CS3 products here; 
http://www.adobe.com/support/deployment/cs3_deployment.pdf. 
If you didn't suppress updates when building your installer 
package, or you've installed CS3/CS4 applications by other 
means, you can still disable the updater. 

The updater for Adobe CS3 and CS4 products can lie 
disabled using a preferences pi 1st, You could probably 
manage this via MCX or defaults, but by creating a single file, 
you can turn off the Adobe Updater for all users of a machine. 
This file could be pushed out with your software deployment 
utility of choice. 

defaults write 

/Library/Preferences/tom.adobe,AdabeUpdater.Admit 
Disable.Update -bool TRUE 

See http://kb2.adobe.com/cps/408/kb40871 l.html for 
more details. 

Adobe Acrobat Pro and Reader 

Disabling automatic update checks for Acrobat Pro and 
Reader is a bit challenging, There is no global mechanism; the 
preference is per-user. Though it is stored in a plist in 
-/Library/Preferences, it’s nested in a way that makes 
it difficult to manage with defaults or MCX. One tool that 
set the correct value is PlistBuddy: 

i uer/libexec/PlistBuddy -c "Set 
; AVGenera.1: CheckForUpdatesAtStartup: 1 fal se" 

-/Library/Preferences/com.adobe.Reader„x86_9.0.plist 
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The actual name of the plist file depends on the product, 
version, and architecture of the machine: 

Acrobat Pro 9,x: 

com.adobe.Acrobat.Pro_x86_9 * 0 *plist 
com.adobe.Acrobat.Pro_ppc_9.0.plist 

Adobe Reader 9 x: 

com.adobe.Reader_x8 6_9.0.piist 
com.adobe,Reader j?pc_9.0.plist 

For Acrobat Pro X and Adobe Reader X, the preference is 
stored slightly differently, nested inside a dictionary named 
“ 10 ”: 

/usr/libaxec/PlistBuddy -c “Set 
;10:AVGeneral:CheckForUpdatesAtStartup:1 false” 

-/Library/Preferences/coin. adobe ,Reader, plist 


The preference file is 

com. adobe. Ac rob at .Pro. plist For Acrobat Pro X, and 
com. adobe .Reader. plist for Adobe Reader X, 

See 

h ftp://kb2.adobe.com/cps/837/cpsid_83 709/attachmenfs/ 
Acrobat_Reader_Updater.pdf for more information, 

Adobe Flash Player 10.3 

With the 10,3 release of Adobe’s Flash Player, Adobe 
introduced new automatic update notifications, They also 
documented a method for administrators to disable update 
notifications here: 

http://kb2.adobe.eom/cps/l 67/] 6701 594.html, This 
involves creating a file at /Library/Application 
Support/Macromedia/mms. cfg with the following 
contents: 
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AutoUpdateDisable=l 


For an enterprise deployment, one could just push out 
that file (naked or bundled inside a package) using your 
favorite software deployment mechanism. 

Mozilla Firefox 

Firefox stores its preferences, including its auto-update 
preferences in a manner unlike most other applications. Not 
only is the preferences file in a unique format, its path is not 
the same on any two machines or for any two users. Managing 
Firefox’s auto-update behavior is a part of managing Firefox 
in general. Fve written on that subject quite a bit, including in 
two past issues of MacTech, and several postings on 
http://managingosx.wordpress.cam. There are several 
approaches to actually deploying the preferences that you can 
choose from the various articles Fve written, but the specific 
preferences for application and extensions updates are: 

pref("app.update.enabled”. false): 

pref(“app.update.autoUpdateEnabled", false); 

pref ("extensions.update,autoUpdate” P false); 
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pref[“extensions,update,enabled"* false]; 

If you want to lock these choices down so that users 
cannot re-enable update checks, use K lockPrefO w instead: 

laekPref(“app,update ,enabled", false); 
leckPref (“app.update .autolJpdateEuabled" . false): 
lockFref(“extensions.update,autoUpdate" , false); 
lockPref(“extensions.update,enabled" H false); 

This article: 

hftp://managingGsx. word press , com/2010/01/1 1 /firefox- 
defaull-sehings-revi sited/ might be a good place to start if you 
are new to managing Firefox. 

Conclusion 

As you’ve seen, there are almost as many ways to manage 
auto-update behaviors as there are applications with auto- 
updaters, Disabling automatic updates may require the use of 
many tools and skills. A working MCX setup (even LocalMCX) 
is invaluable for managing auto-updaters that use Apple’s 
standard preference plists to store their preferences. But you 
may need to resort to other tools for other software. Some 
tools you may need to use include defaults, PI 1st Buddy, 
packaging tools, launchd LaunchAgents, and third-party 
deployment, provisioning, and/or configuration tools. 


The sheer number of applications that have some sort of 
auto-update behavior, and die work needed to discover and 
implement a method to disable auto-updates for each 
application may make you discouraged that you‘11 ever be able 
to control them all. It might be too time-consuming to make 
sure automatic updates are turned off for every single piece of 
software you deploy. If this is the case, focus your efforts on 
software used by the largest numbers of your client base. 
Additionally, make use of any help the software vendor may 
have provided. If the vendor has provided a method to turn 
off automatic updates as part of the initial installation, take 
advantage of it! 
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Leveraging Windows Servers 
to Bring Sanity to Large-scale 
iOS Operations 



Introduction 

iPads, iPhones and iPod Touches run the iOS operating 
system. The iO$ platform brings with it an entirely new way of 
dealing with computers in enterprises. Forget bare metal 
imaging, forget multi-user operating systems and forget scripting 
large-scale operations on diem computers. But just because a 
new paradigm has been introduced you don't have to forget the 
whole idea of centralized management. 

The enterprise integration of IOS is still one that lacks 
maturity. The frameworks (APIs) from Apple for such integration 
are still less than one or two years old in many cases. Compare 
this to some of the technology built into Mac OS X that is 10 or 
20 years old and you have a completely new playing field. 
Combine the platform’s lack of tenure with the rapid sales 
growth of IOS based devices at 14 million iPads in die first year 
and all of a sudden you have a serious challenge for many 
enterprises; one without an officially sanctioned compelling 
story for large scale operations. To some degree, the lack of such 
a story is quite possibly because it is a new paradigm. It's one 
where you have to forget much of what you know r about how 
to run IT and start anew. 

But how's this for a compelling story? A user cannot break 
an iOS based device by installing an application. Let's repeat 
that, your users cannot break die operating system on their 
device even If they want to. You need to ensure that they 
operate securely, and in this article well look at some ways to 
make sure dial they do so. However, if one argument behind 
stringent policies has always been lowering support costs tlien 
if a user cannot break a device and operates securely then how 
many policies do you need? This is just one example of how a 
new platform brings with it a new outlook on IT operations. 

Few people should use a device w ithout a pass code and a 
few basic security precautions. Users need access to file servers. 
The growth of iOS based products in large environments means 
that there are more and more enterprises looking to adopt a 
platform that enables services similar to those available for other 
platforms. The Enterprise Desktop Alliance (EDA) has developed 


a strategy for leveraging existing Windows Server administrators 
and infrastructure in order to provide command, control and 
connectivity services to Mac OS X clients- and now to iOS based 
clients as well 

The EDA includes Absolute Software, Centrify GroupLogic, 
IBM and WebHelpDesk, all able to run on Microsoft Windows 
Server 2008 R1 Of these, the following vendors fill very specific 
voids for the integration of iOS based devices: 

Absolute Software: Endpoint management for PCs, Macs 
and iOS devices 

GroupLogic: Providing centralized file sharing services from 
Windows file servers 

IBM: Web and groupware services as well as highly 
available Windows Server hardware 

WebHelpDesk: Trouble ticketing and inventory 
management 

This ecosystem provides systems that work very well 
together or independently maximizing the efficiency of staff and 
giving administrators replicable, highly available, well 
documented and vendor supported infrastructures. In this, the 
final installment of die EDA series on moving from Mac 08 X 
Servers to Windows Servers, vve will change direction a little bit, 
much as Apple is doing, and take a deep dive into die immature 
realm of integrating iPhones, iPads and iPod Touches en masse, 
as first class citizens on enterprise networks. 

As we have been showing throughout this series of articles, 
the move from Mac OS X Server to Windows Server to support 
Mac OS X clients can be less cumbersome than many previously 
thought. The platform is considerably more scalable, with 
virtualization end-to-end and true high availability options. And 
in many environments. Active Directory has been integrated for 
years and so administrators are already well versed in Windows 
Server administration basics. The impact of replacing systems on 
existing middleware components though, can be amongst the 
most impactful. In this article we will go a step further and 
extend the options for Mac OS X clients over to iOS clients, so 
these devices can have the failover and cluster-ability that they 
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will require as adoption continues to scale to meet the desires 
of users. 

Management Please? 

As we showed in previous articles, large-scale management 
of Mac OS X means imaging, managed preferences, package 
management, a little scripting and a lot of control. These are 
handled a bit differently in an iOS world than for Mac OS X. For 
starters, there is no bare metal imaging for iOS, You do not lay 
raw bits on devices. Instead you build profiles with settings that 
are required and then assign those profiles to devices. These 
profiles can be created using iPhone Configuration Utility and 
then applied to devices through USB or over the air using email 
or SMS. This represents a huge move away from the NetBoot/asr 
comho-punch that is imaging for Apple desktops and portables. 

Imaging is different, as is policy management, iOS provides 
control equivalent to managed preferences in what is known as 
Mobile Device Management, or MDM for short. MDM allows for 
over the air management of iOS based devices. MDM takes the 
options available in iPhone Configuration Utility and makes 
them available to iOS based devices. Think of a configuration 
profile from iPhone Configuration Utility as a wired 
configuration tool and then MDM as a means to long-term 
manage those features over the air 

Package and patch management are also a very different 
option en masse. Consider Software Update in Mac OS X: users 
are prompted to install updates, administrators can centrally 
release patches using Mac OS X Server or Absolute Manage and 
deploy software through Apple Remote Desktop, Absolute 
Manage or Cenlrify, without any interaction with end users. 
None of these are possible in iOS. Application installations and 
software updates are end user, or device initiated processes. 
Whether you need to install an application from Apple’s app 
store, update the operating system on devices or initially enroll 
a device in a MDM environment so it can be centrally managed, 
you or a user will need to initiate those processes. There are 
ways to ease this burden, but none to eliminate it. 

iTunes 

A number of enterprise environments do not allow access 
to iTunes. Sure, it is possible to manage iOS based devices 
without iTunes. But it is no simple task. Restricting access to 
options with iTunes is also a challenge. The policies put in place 
in many an enterprise that restrict iTunes from accessing Apple 
servers are going to mean that major operating system updates 
cannot be installed for iOS based devices as those usually work 
using each clients instance of iTunes to connect to Apple's 
servers. 

Operating system updates cannot currently be performed 
over the air A new iOS version will some day need to be 
installed. If users do not have access to iTunes, this will be a 
challenge to say the least, as each user us going to need to bring 
their iOS devices into a central location. For environments that 
allow iTunes, keeping operating systems up-to-date means 


cradling the device and when prompted, clicking on Download 
and Update, as seen in Figure i. 


A new iPhone software version (4.3.1) is available for 
the iPhone "Charles Edge's iPhone". Would you like lo 
download it and update your iPhone now? 

iTunes wtSI verify the software apcaie with AppSe. 

!_J Do not ask me again 

Cantet Down toad Only Download and Update 

.'. .. . 

Figure 1 - Updating iOS Software 

Backups also need iTunes. When users synchronize iOS 
based devices with D unes, iTunes makes a backup of the device 
automatically. Devices can also be backed up by right-clicking 
on the device in the iTunes sidebar and clicking on backup. 
Users can see when devices have been most recently backed up 
by clicking the Devices tab in iTunes Preferences, 


* I 

HjrtuU ihlling ^ort firtntjl Ltevicei Advanced 

Device backup! 

to itttll 12 


V Prevent iPod v i Phony-. jmd iPads from jynong automatically 
Allow UMncs control from remote speakers 
i Tunes n not paired with any Re motet 

(f) [ Cancel ) ( OIL- 


Figure 2 - Accessing iTunes Backups 

iTunes is also required for restoring devices. Restoration is 
available either by right-clicking the device in the iTunes sidebar 
and clicking on Restore from Backup or by using the Restore 
button when the device has been selected within iTunes 
(manual updates can also be run from this screen and backups 
can be configured to be encrypted here as well. 

If an organization isn't willing to provide access to iTunes, 
backup and restoration is still possible either by setting up a 
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MANAGING YOUR MOBILE 
APPLE DEVICES JUST GOT EASIER 

Absolute Manage Device Management for iOS4 



Our technology is designed to work within a Windows or Mac 
environment so you can use whatever you already have in place. 

And your IT administrators will love you since Absolute Manage MDM 
can be driven using a Mac or a PC. Now everyone on the team can 
be an Apple iOS4 expert! 


Asset Inventory 

Gather 60+ hardware and software data points and 
integrate the data into third party applications 
(SCCM, Web Help Desk, etc.) 


Data & Device Security 

Lock a device, clear a password, wipe a device clean, 
manage and deploy profiles, send messages to end users 


Application Management 

Track installed applications, collect data from each device, 
securely host and deploy in-house applications 


Absolutes oft ware 

The absolute best way to track, manage & protect your digital world. 





















uawAtiv 

J3 Music 

E~l Movies 
□ TV Shows 
j Podcasts 

Hid aooks 
Apjjs 

— Ringtones 
Radio 

STORE 

If i ITunes Store 

CO Ping 

kj 1 Purchased 

Devices 


v Charles Edge's I ^pL 


J1 My sic 
R Movies 
13 TV Shows 
i , Books 
l«4 RinglgneS 
j' Charles Edge's iPod 5,. 
=J' On-The-Co l 

GENIUS 


~D 

_ 


Syncing n Charks Edge's IPhone" tSttp l of 13 
0 Preparing to sync 

^ *. Rt % » 




iPhone 


Info Apps Ringtones Music Movies TV Shows iTunes U Books Photos 


Name; Charles Edge's IPhone 
Capacity; 14,29 CB 
Software Version: 4.2,1 

Serial Number; 88932FVY3NP 

IMEI: 011981009503BS3 



Version 


| Update 


| Restore 


A newer version of the IPhone software is available {version 4.3.1}. To update 
your iPhone with the latest software, dick Update. 

If you are experiencing problems with your iPhone, you can restore Its original 
settings by clicking Restore. 


Options 



Figure 3 - Using iTunes to Manage iOS Devices 


synchronization station or a computer at an internal genius bar 
for doing SO. By default, iTunes will attempt to backup a device 
when plugged in. When each iOS based device is first used (or 
wiped), it will need to be activated. Doing so requires plugging 
a device into iTunes, which means that if a user has their iPhone 
wiped while on the road and just wants to make phone calls, 
they will first need to plug the device into iTunes. 

When administrators are only looking to activate a lot of 
devices, the backup and other options in iTunes will get in the 
way. When loading software, configuring wireless networks and 
enrolling devices with management environments the device 
will need to be plugged into iTunes at least once, even if all 
other setup options will be done over the air. Therefore “iTunes 
Activation Mode" ejects a device once it’s been activated rather 
than synchronizing or backing up the device. By setting iTunes 
to activation mode, administrators can reduce the number of 
touches for the activation process. To do so, use the defaults 
command to write a 1 (or TRUE) into the StoreActivationMode 
key into com apple.iTunes.piist; 

defaults write com,apple.ITunes StoteActivatienMode -integer 
1 


iTunes also has a genius mode, which is used to configure 
computers to be able to backup and restore iOS devices. Genius 
mode does not associate a device to a computer and can be 
used to setup a backup station in environments where iTunes is 
not accessible. To activate genius inode use the defaults 
command to write a 1 (or TRUE) into the StoreGeniusMode key: 

defaults write com*apple.iTunes StoreGeniusMode -integer 1 

Both of these can be disabled by dosing iTunes and then 
deleting the respective key, Both are also available in Windows 
using the process explained at http://krypled.com/iphone/ltunes- 
o nd-ma ss-acti vo Hon, 

iOS updates can be installed using iTunes or using Xcode 
Organizer, Xcode organizer is available in the Apple Xcode tools 
(distributed with each copy of Mac OS X) provided you have an 
iOS developer certificate, 

iPhone Configuration Utility 

iPhone Configuration Utility is a tool, distributed by Apple 
at http [//support.apple, com/kb/dl926 (for Windows) and 
http://supporiapple.com/kb/DL851 (for Mac OS X), iPhone 
Configuration Utility can be used to create “profiles ' in the form 
of .mobileconfig files. These files are property lists containing 
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Figure 4 - Creating a Profile in iPhone Configuration Utility 


settings that a device will have 
when deployed. This is similar to 
how the "Once 11 Managed 
Preferences work. Users can 
change settings once they are 
deployed, but will have the 
“blessed 11 settings as their initial 
configuration. These 

Configuration Profiles allow 
administrators to do much of the 
initial setup work with a minimal 
amount of effort per device, prior 
to placing iOS based devices in 
the hands of users. 

The iPhone Configuration 
Utility also allows administrators 
to make what are known as 
Provisioning Profiles, 

Provisioning Profiles deploy 
internal software to devices. 

These can include applications 
currently pending submission to 
the App Store (e g. beta software) 
or applications built for internal 
use at an organization. Prior to 
using iPhone Configuration 
Utility to deploy a software 
package, administrators would 
need an exported application 
package from Xcode. Provisioning Profiles are stored as 
.mobileprovision files rather than .mobileconfig files. For more 
on provisioning software, see the Apple developer site at 

: http://developer.appte.com/devcenfer/ios/lndex.action. 

iPhone Configuration Utility stores its data in the 
-/Library/MobileDevice directory. Here, Configuration Profiles 
and Provisioning Profiles are stored in directories of 
corresponding names. Names of each profile are hexadecimal- 
based, followed by the corresponding extension type. 
Additionally, devices are stored in a Devices subdirectory, with 
each having a file that is named based on the Identifier of the 
device. Profiles can be exported and then copied to a web page, 
emailed to devices and installed over the air, or deployed 
through iPhone Configuration Utility. 

Building Configuration Profiles 

To build a configuration profile, first install the iPhone 
Configuration Utility. Once installed, open iPhone Configuration 
Utility and dick on Configuration Profiles in the LIBRARY 
sidebar. Here, a list of options, including General, Passcode, 
Restrictions, Wi-Fi, VPN T Email, Exchange Active Sync, LDAP, 
CaJDAV f CardDAV, Subscribed Calendars, Web Clips, Credentials, 
SCEP, Mobile Device Management and Advanced, will be 
provided. These allow administrations to deploy settings of each 
type to iOS based devices. 


The General settings are required, This is where the identity 
of the profile is created. Similar to an OS X installer package in 
that a unique identifier will be created. In the example provided, 
we used corn.mactech.ipad as the unique Identifier and 
MacTech iPad Profile as the Name. Both of these can be seen on 
the device, as can the Description. Whether or not an end user 
can remove a profile is set using the Security field in this screen, 
with options of Always, With Authorization and Never. It is 
recommended to use With Authorization and Always, as in order 
to remove a Configuration Profile with Security set to Never, 
administrators will need to wipe the device. 

Once you have configured the General settings, choose 
which of the other settings that should be configured. These 
include: 

Passcode: Used to force a passcode and then control the 
complexity, history requirements and acceptable characters of a 
passcode, .Also used to configure device lock settings, grace 
periods for device locks and how many invalid attempts to allow 
prior to wiping the device. 

Restrictions: Allows configuration of options otherwise 
found using the Settings App and then tapping on Restrictions. 

Wi-Fi: Sets up wireless networks that a device will have 
access to and allows caching of credentials for wireless networks 
that require passwords. 

VPN: Configures VPN client and allows proxy configuration 
for VPNs, 
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Email: Used to install POP and IMAP mail accounts. 

Exchange ActiveSync: Deploys settings for Microsoft 
Exchange servers, 

LDAP: Sets up LDAP server user, password, SSL and Search 
Base. 

CalDAV: Defines settings for CalDAV servers. 

CardDAV: Defines settings for CardDAV servers. 

Subscribed Calendars: Subscribes to calendar files (read¬ 
only), 

Web Clips: Closest option available to pushing software to 
a device, allows for deployment of web dips that can be used 
to access web applications or other web sites, 

Credentials: Deploy certificates to devices. 

SCEP; Deploy certificate servers to devices. 

Mobile Device Management: Install MDM Certificates on 
Devices, 

Advanced: Configure carrier access points. 

Most environments will only use 3 or 4 of these options at 
most. For environments using MDM, it is likely unwise to 
configure other settings in the Configuration Profile that june 
conflict with those deployed by the MDM server (more on MDM 
in the MDM section of this article). The settings here can be 
specific to a device or left generic. 
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Figure 5 - Passcode Settings in iPhone Configuration Utility 


Exporting .Mobileconfig Files 


Set the Security of the exported .mobileconfig file. Options 
include: 

None: No encryption will be used. 

Sign configuration profile: The configuration profile will 
contain a digital signature so if it is altered, administrators will 
know. 

Create and sign encrypted configuration profile for each 
selected device: Signs and encrypts profiles. 

Choose the device that tire profile will be exported for (if 
profile is signed and encrypted). 

Click on Export* *,. 


E*fKHT Configuration Profile 

Share exported configuration profile* via email or iht web. 

jfwrtty _ ___ 

Create and sign encrypted configuration profile for eaeft selected device 1 I 

Ocvt« 

BfTEME 

Chirk* Edge's IPhone 
iPad 


I configuration profile will be created ^ Cancel ) ( fctporti.;T 



Figure 6 - Settings for Exported Profiles 


Choose a location to store the profile. 
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Figure 7 - Exporting Configuration Profiles 


Profiles can contain a good bit of information about the 
security of an iOS based deployment. Configuration Profiles help 
to automate the deployment of large numbers of iOS based 
devices, but the long-term configuration management needs of 
most organizations will require the ability to push changes to 
devices, This is where MDM comes into play. 


Once configuration files have been created, they can be 
exported. Configuration Profiles are exported into a property list 
structure known as a ,mobileconfig file. To export a 
Configuration Profile: 

Open iPhone Configuration Utility. 

Click on Configuration Profiles in the LIBRARY sidebar. 
Choose the Configuration Profile to export. 

Click on the Export button in the application toolbar. 


Configuration at scale using MDM 

MDM t or Mobile Device Management for short, [s an API 
from Apple that allows the options in a mobileconfig file to be 
pushed to devices over the air, leveraging Apple’s Push 
Notification Service, MDM goes further than the options in 
,mobilconfig files also allowing administrators to wipe, lock and 
reset passcodes on devices Over the Air (or OTA). Deployment 
is very important as environments scale into enterprises. While 
.mobileconfig files can be deployed over the air using web and 
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Figure 8 - Viewing Device Information in Absolute Manage 


email, MDM enrolls devices and allows 
administrators to control settings on 
devices centrally in an object-oriented 
fashion. 

MDM Requirements 

Hosting an MDM solution is a must 
for many organizations. But doing so 
comes with a number of requirements. 

Enterprises that will be using an MDM 
solution will need an Enterprise 
developers certificate from Apple. 

Obtaining an Enterprise Developer 
Certificate from Apple can be done at 
http://develop 0 r.Qpple.com. Before 
beginning the process, it is worth noting 
that Apple has a number of 
requirements for obtaining an Enterprise 
certificate, including enrollment in the 
iOS Developer Enterprise Program 
(http://developer.apple.com 
/ programs/i os/enterprise/), which 
requires a valid Dun ik Bradstreet 
Number (DUNS) and a $299 per year 
enrollment fee. 

The Developer Certificate is used 
to create an MDM Push Notification 
Certificate in the Apple Provisioning 
Portal, To install an MDM solution, a 
valid SSL certificate will also be required. Finally, if deploying 
applications, an In-house Distribution Certificate will need to be 
generated in die Apple Provisioning Portal. Once all of the MDM 
requirements have been met, then installation of the software for 
any of the MDM providers can commence. 

Absolute Manage 

Absolute Manage is a solution that allows for centralized 
management of Mac OS X, Windows and now, iOS based 
devices. The management of iOS based devices is done through 
MDM using the same Admin Console already used to manage 
Lhe other platforms, making it a seamless integration for 
environments that have already invested resources into training 
their staff on the product Absolute Manage also brings with it 
the ability to run on Mac OS X or Windows. 

Here, we will look at leveraging Absolute Manage to 
provide MDM services to iOS based devices, as it can be run on 
a Windows Server. The management tools themselves will be 
run from a Mac OS X 10,6 client system. 

Leveraging MDM, Absolute Manage can centralize 
management for iOS based devices and track applications that 
have been installed as well as many of the common settings 
used on devices. To get started, first follow the steps outlined at 


the following website to perform the installation of Absolute 
Manage MDM: http://macte.ch/AMMDM. 

Once installed, use the Absolute Manage Admin utility. 
From there, devices will be available by selecting Mobile 
Devices from the Window drop-down menu. From die iOS 
Devices screen, there are a number of built-in groups for iOS 
based devices, broken down by each of the hardware platforms 
capable of running iOS. 

Here, die MAC addresses, firmware versions, serial numbers 
and other device-specific information can be seen per device, 
Administrators can also use the disclosure triangle beside each 
device to look at installed Applications. Certificates, Provisioning 
Profiles and Configuration Profiles assigned to each device. 

Enrollment 

Now lint we have shown how to see IOS based devices, 
let's look at die process to enroll a device in Absolute Manage. 
Once Absolute Manage has been setup and configured, a 
standard enrollment page will lie accessible. Administrators can 
host the enrollment bootstrap file on any web server and protect 
the file in a variety of ways. The file can be accessible to anyone, 
protected with a password or protected with a username and 
password that is tied into the authentication provided by an 
Active Directory server. Provided users can get to tine page, they 
will authenticate and then be enrolled. 
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Many of these options involve immediate actions, such as 
locking a device. Policies that were created in iPhone 
Configuration Utility can also be applied, allowing Absolute 
Manage to handle any options that Apple provides using a 
configuration profile. 
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Domain: 
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Figure 9 - Absolute Manage Enrollment 


Managing Devices 

Once enrolled it will be possible to manage devices in a 
variety of ways. Similar to how Find My iPhone works tor 
MobileMe users, administrators will he able 10 use Absolute 
Manage to lock devices, reset passcodes and remotely erase 
devices. It is also possible to send messages to devices and 
manage policies. All of this can be done per device or based on 
group memberships. 

To perform one of these tasks, simply open the Absolute 
Manage Admin utility and select Mobile Devices from the 
Window drop-down menu. From the iOS Devices screen, right- 
click on the device and then choose the appropriate task or 
polity to enforce on the device. 
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Figure 10 - Managing Devices Using Absolute Manage 


A common misconception in MDM environments is that 
MDM can be used to “push” out applications in the same way 
that MDM can push out configuration changes such as wiping a 
device and enforcing passcodes. However, no MDM provider 
can push applications to devices. But MDM solutions can push 
web links to devices. This allows pushing access to a web 
application to iOS based devices and enabling quick installations 
through MDM. 

The best way to push a link that will open a web 
application to an iOS based device is to assign a configuration 
profile to the device. The configuration profile is created in 
iPhone Configuration Utility, a process covered earlier in this 
article. It is also possible to push a webdip, but a webdip would 
only contain a URL, For example, a URL to an ePub or PDF doc 
that could then be opened on the device; the webdip we use to 
deploy Absolute Apps to the device; a link to an internal help 
desk or any other web site. Instead of a webdip, a configuration 
profile can be created on the fly, using imported Active 
Directory data. Deploying this profile sets up Exchange email on 
the device. Removing this profile (which can be done over the 
air) removes email access, as well as access to all associated 
calendar events and email messages. 

Once the configure file is ready open Absolute Manage 
Admin and then from the Window 7 menu, select Mobile Devices, 
At the Mobile Devices screen, go to the iOS Devices screen, 
open APPS & PROFILES and then use a contextual menu to 
upload a new profile. 



To then select the newly uploaded profile, from the iOS 
Devices screen, right-click on a device or group of devices and 
then click on Install Provisioning Profile, Then select the profile 
you just uploaded and click on OK, 
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Figure 12-Assigning Profiles to Devices 


As mentioned, MDM cannot be used to push an application 
to an iOS based device. While MDM is flexible and provides a 
number of great features, there are limitations to what it can do. 
In addition to not being able to push an application, MDM also 
relies heavily on certificates. If the MDM certificate is removed 
then die client management tools can no longer control the 
device. In some cases this is desirable, such as when a device is 
l>eing decommissioned, but the fact that administrative access to 
a device allows users to remove policies is also a good incentive 
to restrict access to administrative options on IOS based devices. 

Via the Absolute Apps on-device self-service portal, 
Absolute Manage MDM can publish a list of "recommended 
apps'’ for users. Even though the user must still initiate the 
install, this makes the iTunes Store invisible in the process. 
Through Smart Groups and Policies, administrators can ensure 
the right apps are installed - and the wrong ones are not - even 
though final control is in the end user’s hands. 

Now that we’ve taken a good look at MDM, we’re going to 
move on to more workflow oriented topics in the remaining 
sections. First up, getting to Files that are stored on your servers. 

File Access 

A basic computing task that many take for granted is 
opening, editing and then saving documents. This is so basic a 
task in organizations, from schools to small businesses to the 
corporate enterprises, that it has at this point become an 
assumed feature included with all operating systems. To go a 
step further, it’s also taken for granted that each operating 
system will also interconnect with servers of other operating 
systems, and for the most pari this is a valid assumption. This is 
not the case with iOS. 

One of the things that makes iOS so unique is that the 
operating system obfuscates the underlying filesystem. As such, 
there is no /Volumes directory as in Mac OS X, In fact, 
applications are disconnected from one another as each is in its 
ow r n sandbox. Instead of having a filesystem accessible to all 
applications, each application installed in iOS has a filesystem of 
sorts. If there is no global filesystem then it stands to reason that 


there is no integrated file server client (there’s not). Enter 
mobileEcho! 

mobilEcho 

mobilEcho is a new product from GroupLogic, the makers 
of ExtremeZ-IP. mobilEcho enables users to connect to file 
shares that are hosted on a mobilEcho server and therefore 
accomplish one of the most common tasks that needs to be 
done by most any computer in an enterprise: access files. The 
installation process for mobilEcho can be performed in most 
environments by simply accepting the default options during the 
installer. Once installed there are two aspects of configuration. 

The first is making file shares available to IOS based 
devices. Tills is done using tools that will be very familiar to 
existing users of ExtremeZ-IP for accessing Windows file servers 
(tools covered in earlier articles of this series). The shares 
connect over SSL rather than AFP, and so, are more 'native 3 to 
iOS while at the same time being secure. Remote connectivity to 
the shares is performed through a VPN connection back to the 
main office, configured separately 
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Figure 13 - Configuring Shares in mobilEcho 


The second aspect of installation is centrally managing the 
data and settings stored in the mobilEcho application. 
Configuring centralized management is done with die Client 
Management Administrator, distributed with the installation 
took The reason this is such a critical aspect of mobilEcho is 
that centralized client management allows administrators to craft 
which shares users see using profiles, provide user accounts 
specific to mobilEcho, provide access to multiple file servers, 
limit the options users have when accessing files and wipe die 
mobilEcho data on devices. The Iasi item is particularly 
interesting because many environments allow users to access 
files and folders from personal devices. This provides a 
mechanism to remove data owned by the organization from 
devices without actually wiping a user's personal data. 

Managing the User Experience 

To access file shares, users will need to configure the 
application and have their appropriate servers and shares 
displayed. Configuration can be automated somewhat using the 
Client Management Administrator, Here, users and groups 
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(groups can lie based on membership in a directory services- 
based group) can be configured to access mobilEcho, above and 
beyond the standard credentials used Lo support connecting to 
file shares. 

Once the Client Management Administrator is installed, to 
add a group, click on Groups in the upper right hand comer of 
mobilEcho and then click on the Add new group button. Each 
group in an LDAP based directory service will have a unique 
identifier that is addressable based on the relative location of 
that group in the domain. At die screen for adding a group, 
administrators will supply the Distinguished Name (DN) for the 
group. 
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Figure 14 - Creating Groups in mobilEcho 

Once the group has been configured* it will need a profile, 
Tile profile defines the servers that users within the group can 
access as well as what kind of access to objects stored on those 
servers that a user will have. Additionally, security features such 
as whether the application will require a passcode to unlock, the 
length of die passcode (if required) and whether or not the 
application will cache files. Once all of the appropriate settings 
are configured for a group, dick on the Save button (you can 
also configure policies for users instead of groups, but this is 
tedious for larger environments). 



Figure IS - mobilEcho Group Settings 


Users can then access mobilEcho. If a device falls outside 
of organizational control, or if the user leaves the organization 
then mobilEcho's centralized management features allow 
administrators to remotely remove data from the mobilEcho 
application. 



Figure 16 - Resetting User Passwords 


Configuration data (which shares a user has access to, etc) 
is stored on the server and accessible to users no matter which 
device they connect from* This allows for quick restoration of 
user data, locking devices without needing to be concerned with 
the state of data that should be stored on servers and quickly 
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restoring settings in the event that a device is retired, lost or 
stolen. 

Editing Documents 

Users can edit documents in any application that can open 
each type of document by leveraging the clipboard built into all 
iOS based devices. Users locate files and shares using mobilEcho 
and then click on the blue button beside the files to bring up a 
menu of options of what to do with the files. By using the Open 
In... option tn this menu for a given file it can be accessed using 
any application that supports die file type. 



@C M Rl 


Figure 17 - Using Open In. .. to Access Files From Other Applications 


There are many applications that can edit commonly used 
document types. These include tools such as Office^ HD and of 
course the iWork suite consisting of Pages, Numbers and 
Keynote. Most applications also now support the ability to Open 
In,,,, the same tool used to get a document to open from within 
these applications, Using this same option, users should see 
mobilEcho as an option to open documents in, an act diat opens 
the file in mobilEcho so it can be saved back to the file server 
after being edited. Files can also be cached locally on the device 
using the File Inbox and My Files options, allowing users to 
work on files while offline. 


be on the same network as their file servers so that users can 
quickly and easily access files while outside of die main 
network. Most environments will already have a robust VPN 
environment and iOS natively supports accessing many of the 
VPN servers and protocols in use today. 

In addition to VPN, a reverse proxy can also provide access 
to mobilEcho for remote users. A reverse proxy is a server that 
is exposed to the Internet (eg - sitting in a Demilitarized zone) 
that is used to access resources on behalf of a client (which 
often sits outside of a network)* There are a plethora of tools 
available to build reverse proxies, including Microsoft® Internet 
Security and Acceleration (ISA) Server. Squid (in Reverse Proxy 
mode) and even Mac OS X Server. For more information on ISA 
Server see hrtp://fechnet.micro$oft.com/erv 

us/I i bra ry/b b898432. aspx. 

The iOS Help Desk 

Web Help Desk and iPhones are a perfect companion. 
Especially when those on a service desk are actually supporting 
iOS based devices' As the name implies, Web Help Desk is a 
web-based help desk and ticket management system. The 
installation and management of Web Help Desk was covered in 
previous articles in this series, but the focus here is on using the 
Web Help Desk Mobile app as a tool that runs on an iPhone (or 
iPod Touch), 

Web Help Desk Mobile is freely available at 
http://Uunes.apple.com/us/app/web-help-de 5 k- 
mobile/id385247187?m!=8, Once installed, configuration is 
simple: at the opening screen, provide the address, username 
and password for the account that will be using Web Help Desk* 
Optionally, the icon badge for the app can be configured to 
show r users how many alerts they have, a sound can alert users 
when they have new messages and an alert can show users 
information about those tickets. 
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Figure 18 - Configuring Web Help Desk Mobile 


Accessing mobilEcho Remotely 

Currently, mobileEcho connects iOS based devices to file 
servers that reside on the same network. A VPN allows users to 


Once the settings are configured appropriately, click on the 
Done button to be placed at the Home screen. Here, users will 
see the number of tickets assigned to them, see a list of group 
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tickets, be able to search for tickets and be able to search for 
client systems, putting centrally stored information about 
computers in the palms of support engineers so they can stay 
engaged. 
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Figure 19 - Viewing Tickets 


Tickets can then be browsed and viewed, Similar to viewing 
mail, when tapped on Web Help Desk Mobile will show details 
of the ticket and allow technicians to make notes on tickets, 
change the status and perform a number of other tasks. When 
support staff is empowered to leverage mobile devices, tickets 
can be closed faster and without having support staff carrying 
additional devices to communicate with the back office. 
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example of one aspect of iOS that can help bring saniLy to 
infrastructure and a perfect compliment to many help desk 
environments. ^ 

Conclusion 

iOS is a rapidly growing platform. In many enterprises, the 
number of iPads, iPhones and iPod Touches now exceed the 
number of Mac OS X based computers. The platform is young 
though, and products that can be used to centrally manage and 
interconnect the popular devices to other solutions are few and 
far between, leaving many a lucid administrator in need of a 
sanity 7 check. In this article we focused on a few such tools: 
iPhone Configuration Utility, Absolute Manage, mobilEcho and 
Web Help Desk, 

One aspect of iOS that is so appealing to users is the wealth 
of applications that are available lor die platform. Therefore, it 
should be of no surprise that there are many applications 
reaching a stable and mature state that IT departments can make 
use of to harness the platform. The tools covered in this article 
arc meant to showcase centralized management (Absolute 
Manage), content distribution (mobilEcho) and using the device 
to carry out tasks common in a user’s day (Web Help Desk). 
However, each environment is different and so the needs of each 
environment will also Itc different. 

Maximizing productivity is important to justify any 
technology tool. Security and scalability are as well. However, 
when crafting policies and planning on a deployment try and 
keep a central theme in mind: these things arc easy and fun to 
use and should stay that way. As organizations continue to pilot 
the iOS platform, it is often die traditional Mac OS X systems 
administrators that are tapped to manage these devices. The 
tools showcased in this article are a good start to keep sane 
when attempting to manage these devices en masse. We are 
entering into a new era and for many environments learning the 
new concepts and how to use these new tools is just the 
beginning* Good luck! 
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Binding with 
AppleScriptObjC 

Connecting widgets through 
a key/value mechanism 


r ^ 

by Jose R.C. Cruz 

l a 


Introduction 

The hallmark of any good application is an intuitive, well- 
designed user interface* The interface is the first visible 
construct users get to see. It is through the interface that users 
interact with the application, receive and supply data as well 
as directions. 

So today, we will explore how a Cocoa application, built 
with AppleScriptObjC (or ASOO, connects itself with its user 
interface. We will study the bindings mechanism to shuttle 
data between the interface and the application process* We 
will learn some of the benefits of this mechanism, and some 
of its issues. 

Next, we study how to bind two types of interface 
widgets to a Cocoa object. And we will modify an existing 
Cocoa project to use the bindings mechanism. 

Readers should have a working knowledge of 
AppleScript and of the Xcode development tool The project 
featured here is available from the MacTech ftp site at 
ftp :/ / ftp in actech com . 

Interacting with the Interface 

In a typical Cocoa application are three distinct groups of 
classes (Figure I). The first group, the models, holds the data 
being processed. These classes know how to store and 
manage said data. They define how the data is to be formatted 
and what protocol to used to convey it. Some model classes 
link the data to a given storage media or network. 

In the second group of classes are the views. They 
present the data to the user in a readable form. They create 
graphical constructs that users use to manipulate the data and 
to direct the application process. Some even provide 
constructs into w r hich users provide new data, either by typing 
or by selection. 

The controllers form the third group of Cocoa classes. 
They are solely responsible for shuttling data between a 


model and its view(s), Some ensure that any data received by 
a view are immediately sent to the right model Some keep 
the views in synch with their respective models. And some 
exchange data and signals with other controllers, either within 
or without the main process. 

It is, of course, possible for a Cocoa class to assume two 
roles. But such classes are rare and found mostly In third-party 
frameworks. Good code factoring always dictates that a class 
must have one role and must handle that role well, 

The traditional way 

Naturally, if a controller is to w r ork correctly, it must know 
which view to link to which model One way to establish 
these links is with the use of outlets and actions. 

Outlets and actions have their origins In NeXTStep, 
precursor to the Foundation and Application kits that form the 
modern Cocoa framework. An outlet is an object through 
w hich data is either sent or received. It can be a model or a 
view, or even a controller. An action is a routine that reacts 10 
a specific signal That signal may come from a model, a view, 
or another controller. 

In an ASOC script object, outlets and actions appear as 
properties ami handlers (listing 1). For a property to serve as 
an outlet, it gets a default setting of missing value. This 
setting does not declare a specific data type as AppleScript 
supports dynamic typing. For a handler to serve as an action, 
its name ends with an underscore and it gets a single input 
argument. The argument refers to the object that invoked the 
given action. Here too the argument does not specify a data 
type, it is up to the handler code to identity the calling object. 

Listing 1. A sample AppleScriptObjC script 
object. 

script WeightsAppDelegate 
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Figure 1. The model-view-controller structure. 


— BASE PROPERTIES 

property parent : class "NSObject* 

— OUTLET PROPERTIES 
property oSreVal : missing value 
property oSrcUnt r missing value 
property oCnvVal : missing value 
property oCnvUut ; missing value 

— ACTION HANDLERS 
on doConvert_(aSrc) 

local tVal, tUnt, tNew, tCnv 

— read the entered weight value 

set tVal to floatValueO of oSreVal as real 
set told to indexQfSelectedItem() of oSrcUnt as 

integer 

— read the chosen weight unit 

set tNew to indexQfSelectedltemO of oCnvUnt as 

integer 

— perform the conversion 

set tCnv to eonvertVeight -i 

given weight:tVal. oldUnit:tQId, newUnit:tNew 

— display the conversion result 

tell oCnvVal to setFloatValue_(tCnv as real] 
end doConvert_ 

— truncated for length... 

end script 

Figure 2 shows haw the above outlets and actions are 
linked to a user interface, which is a window. On the window 
are two text fields and two pop-up menus. These are the views. 
Tile text fields are mapped to the outlets oSreVal and 
oCnvVal, the pop-up menus to oSrcUnt and oCnvUnt. 
Their values can then be read or changed through their assigned 
outlets. 

Next, die first text field and the two pop-up menus are 
mapped to the action doConvert_{ ) . When users enter new 
values into the field or select an item from the menu, the 
widgets react by invoking doConvert_( ) from the 
WeightsAppDelegate object. 

Outlets and actions are easy 10 implement and debug. They 
are easy to learn, thanks largely to their graphical nature. On the 
other hand, outlets and actions can be quite tedious to 
implement, especially on interfaces with complex layouts. 
Moreover, they are harder to change at runtime. 



Figure 2. Linking outlets and actions. 

The way of bindings 

Another way to link a controller to its views and mode! is 
through bindings , The bindings mechanism first appeared in 
version 103 of MacOS X. It uses bey/mkw pairs to map each 
view to each model. Furthermore, it uses predefined controllers 
to manage the data flow itself. 

Bindings work well with most interfaces, be they simple 
windows or complex forms. They can be defined either at build 
or at runtime, They can be altered at runtime to suit changing 
conditions. They even reduce the amount of code needed to link 
with each view or model. 

On tine other hand, bindings are much harder to implement 
and debug. They are not supported by some third-party Cocoa 
classes and by classes that have to pass through code bridges. 

The Predefined Controllers 

At the time of writing, [here are four predefined controllers 
in the Cocoa framework. Each one is designed to work with a 
specific model type Some are optimized for a specific view. All 
four, however, support die bindings mechanism and show the 
same general behavior. 

The object controller 

The NSObjectController (Figure 3) is die base class 
of all but one of the predefined controllers. It uses an instance 
of NSMutabl©Dictionary as its default data model. But it 
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can use other model types passed through its modifier only two. All branches then converge to a single data item 
setObjectClass:, known as a root . 



Figure 3, The NSOb jectController class. 


Figure 5, The NSTreeCont roller dass. 


This controller class is built upon two other Cocoa classes. 
The superclass NSQbject provides services common to all 
Cocoa classes. It links the controller to the ObjC runtime engine 
and it defines die basic behavior of an ObjC object. The parent 
class NSController defines the two protocols common to 
all controller objects: NS Ed it or and 

NSEditorRegistration, 

The NSObjectController class is best suited for 
views that work with a fixed data set, Bui for repeating and 
hierarchical sets, other controllers are available. 

The array controller 

The NSArrayController {Figure 4) uses an 
NSMutableArray as its data model. It derives from 
NSObjectController; inheriting the latteds properties and 
methods. Plus, it has hooks for models that din filter or reorder 
its data store, 

The controller works best with interfaces that use the 
NSTableView class. That view can render data as a series of 
rows and columns. Users can examine large data sets one page 
at a time or they can open a row of data into a separate window 
for editing. 


NSOb j ectCoot rol1er 

T“ 


NSArrayCoatroller I-— «ueea» —4 MSHutableArray 



Figure 4, The NSArr ay Con t rol ler class. 


The tree controller 

The NSTreeController (Figure 5) also uses die same 
NSObjectController as its parent class. Its data model is 
a tree object, which can lie an instance of 
NSMutableDictionary or it can be a custom object. Tree 
objects hold their data as a collection of branches and leaves . A 
branch links three or more data items together, while a leaf links 


This controller is meant for interfaces that use either the 
NSBrowser or NSOutlineView widgets. These view' 
widgets present tree data in a top-down, hierarchical order. 
Users can drill down from the root or a specific branch, or they 
can isolate those branches that have a specific item. 

The user-defaults controller 

The NSUserDefaultsController class (Figure 6) 
does not derive from NSObjectController. But it shares 
the same parent and root classes as its sibling. The data model 
of this controller is an instance of NSUserDefaults. It 
allows the controller use the defaults mechanism to store the 
user’s preferences for the current process session. The 
preferences are written to a plist file, which may reside in the 
user’s home directory or in a publicly shared one. 



Figure 6. The NSUserDefaultsController class. 


The managed-object-content controller 

Yet, there is one controller not found in the standard 
Application Kit framework. This is the managed-object- 
content controller (Figure 7), which uses 
NSManagedObject and NSFetchRequest as its data 
models. With these models, the controller gains access to the 
Core Data layer. It can perform queries and other database- 
related tasks. It can even work with most SQL databases using 
the SQLite code engine. 
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Figure 7, The managed-object-content controller class. 


In order to use this controller, we will have to build it from 
scratch. This topic, as well as Core Data, will be covered in a 
future MacTech article. 

Preparing to Bind 

When we last built the Weights demo project, we used 
outlets and actions to link its view widgets to its controller 
We ightsAppDe legate Now we will refactor this same 
project and use bindings to link its widgets. Our chosen 
controller will be the NSObjectControiler class. 

Defining the model 

Start by choosing New File from Xcode’s File menu. From 
the ensuing assistant dialog, select the template AppleScript 
class file Click the Next button and set the file name to 
WeightsConvert. Leave the file location at its default 


setting. Then click the Finish button to create the file and add it 
to the project. 

Listing 2 shows part of the code for the 
WeightsConvert script object. This object uses the property 
bindDict to hold an instance of 
NSMutableDictionary. Its initialize {) handler 
stores three key/value pairs into bindDict. Then the 
convertWeight () handler reads those same three 
key/value pairs and uses their values to compute the new 
weight value. Not shown are the four instance handlers that do 
the actual computations. 

Listing 2* The model class 

WeightsModel 

script WeightsConvert 
— BASE PROPERTIES 
property parent ; class "NSQbject” 

— INSTANCE PROPERTIES 

property bindDict : class ”NSMutableArray hf 

- INHERITED HANDLERS 

to initialize() 

local tKeys. tVal 

try 

— prepare the Initial key/value data 

set tKeys to r'srcValii", “srcUnit", ”cnvUnit M 'l 

set tVal to IQ, 0. 2] 

—- initialize the property instance 

tell class ’'NSMutableDictionary” of the current 

application 

set bindDict to 

dictionaryWithQbjects_fotKeys_(tVal. tKeys) 
end tell 
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on error eMsg number eKum 
local tErr 

set tErr to "WeightsConveit;initialize:error:" & 

eMsg 

log tErr 
end try 

end initialize 

— Main dispatch routine 
to eonvertWeightQ 

local tSrCi tCnv* tSru, tCnu 

— initialize the following locals 

set tSrc to valueForKey_(*srcValu'*) of bindDict as 

real 

set tSrn to valueForKey_{ “arcUnitof bindDict as 

integer 

set tCnu to valueForKey„( "cnvUnit") of bindDict as 

integer 

— identify the original weight unit 
if (tStu 23 0) then 

— weight unit kilogrammes 

set tCnv to convertKilogrammes for tSrc into tCnu 
else if (tSru = 1) then 

— weight: unit :grammes 

set tCnv to convertGrammes for tSrc into tCnu 
else if CtSru = 2) then 

— weight: unit: pounds 

set tCnv to convertPounds for tSrc into tCnu 
else if (tSru * 3} then 

— weight: unit:St ones 

set tCnv to convertStones for tSrc into tCnu 

else 

set tCnv to aVal 
end if —(tSru-0) 


— return the conversion result 
return {tCnv) 
end oonvertWeight 

— conversion handlers go here... 
end script 

In essence, the Weight sConvert model carries those 
conversion routines dial used to be in the script object 
WeightsAppDelegate. This frees the latter to focus on just 
tasks delegated by the main application process. 

Defining the controller 

Locate the MainMenu.xib entry from the Groups and 
Files pane of die Xcode window. Double-click the entry to load 
the bundle into Interface Builder, Within Interface Builder, locate 
the entry 7 Object Controller from the library palette. Drag its icon 
onto the MainMenu.xib window—leave its name as is. 
These actions add an instance of NSObjectController. 

Now locate the entry Object from the library palette. Again, 
drag its icon onto the MainMenu.xib window. Change the 
icon’s name to Weights Convert. Go to the File menu and 
choose the menu Read Class Files,,.. Use the Open File dialog 
to select and load the project file 
WeightsConvert.applescript, Interface Builder will 
display a warning dialog, telling us that the file does not have 
any valid ObjC classes. Ignore it and dismiss the dialog. 
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Select the WeightsConvert icon and choose Identify 
Inspector from the Tools menu. From the pop-up menu labeled 
Class, select WeightsConvert, These steps add an instance of 
WeightsConvert to the MainMenu.xib bundle. Save 
your changes at this point. 

Now select the Object Controller icon on the 
MainMenu.xib window, Choose Bindings Inspector from 
the Tools menu. Drag a line from the content outlet to the 
WeightsConvert icon (Figure 8). This makes WeightsConvert as 
the model for our object controller. 

Again, save your changes. 



Figure 8. Linking the controller to its model 


Binding The Controls 

Most views fail under one of two groups. In the control 
group are views that interact with users by either clicks or 
selections. Some views such as the RSPopupButton present 
users with a restricted choice of inputs. Others such as 
NSMenuItem allow users to start or direct a specific process. 
Signal (low is often unidirectional, going from view to 
controller. 

The window of our Weights project has two Pop Up 
Button widgets. Both are control views and both are instances 
of NSPopupButton. We will see how these views are 
bounded to the object controller. 

To bind the view 

The active session should l>e Interface Builder, Select the 
top Pop Up Button widget and choose Bindings 
Inspector from the Tools menu. On the inspector palette, 
locate the entry labeled Selected Index. Click its disclosure icon 
to view r the binding settings. 

Now r click to set the checkbox labeled Bind to:. From the 
adjacent pop-up menu, choose the entry Object Controller. On 
die first combo field, Controller Key, enter the value 
'selection'. On the next combo field, Model Key Path, 
enter # bindDict, srcUnit', leave the rest of the settings 
as is and save your changes. The palette should match the one 
in Figure 9. 
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Select the bottom Pop Up Button widget. Repeat the 
above steps, but set its Model Key Path to 
' bindDict. cnvUnit r . Again, save your changes. 
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Figure 9. Binding the Pop Up Button. 


What we just did is tell the object controller to monitor the 
states of the two widgets. If a user selects a menu item from 
either widget, the controller will read the selected index. It 
relays the index to WeighsConvert, which then stores the 
index into its bindDict property. 

Binding The Fields 

In the field group are views that present data as human- 
readable text Some views suchasNSTextField let users to 
enter or edit text through typing. Some such as NSComboBox 
come with a pop-up menu wherein users can choose preset text 
values. And some such as NSTextView accept multiple text’ 
related data like font styles and colors. 

Our Weights project uses two Text Field widgets on its 
main window. Both widgets are field views and both are 
instances of NSTextField, The top widget lets users enter or 
change numeric text. But the bottom widget, being disabled, 
does not. 

To bind the view 

The active tool session should still be Interface Builder. 
Select the top Text Field widget and choose Bindings 
Inspector from the Tools menu. Locate the entry labeled Value 
and dick its disclosure icon. Again, set the checkbox Bind to: 
and choose Object Controller from the adjacent pop-up menu. 
In the Controller Key field, enter the value 'selection'. 
Then in the Model Key Path field, enter 

'bindDict.srcValu' (Figure 10). Save your changes 
when done. 

Next, select the bottom Text Field widget. Repeat the 
above steps, but set the Model Key Path field to 

' convertWeight'. Again, save your changes. 
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Figure 10. Binding the Text Field widget. 


Two things will now happen, When a user enters a number 
value to the top widget, the object controller sends that value to 
Weights Convert, Weights Convert then stores the 
value into its bindDict property. But the bottom widget is not 
bound to the same bindDict property as the top, instead, it 
is bound to the convertWeight{ ) handler. Thus, that 
widget will invoke said handler and display the latter’s result. 

First run 

Switch back to Xcode and choose Clean All Targets from 
its Build menu. This should remove the old build files from the 


project. Now, choose Build and Run from the same menu, 
Xcode wilt now recompile the project and launch the resulting 
Weights binary. 

Once Weights becomes active, it will display a single 
window. The top field and the Two pop-up menus will show the 
default values held by the bindDict property. And the 
bottom field will show the conversion results based on those 
values. 

Yet, if we provide a different value to the top field, the 
result from the bottom field remains unchanged. The same also 
happens when we choose a different unit from any of the two 
pop-up menus. This means Weights does not respond to 
changes in input. 

Reacting To Change 

For the Weights Convert model to react to changes in 
its key/value data, it must register which keys are dependent and 
which ones are not, Jf the model were whiten in ObjC, it can 
register dependency using lightweight method 

setKeys:triggerChangeNotificationForDepen 
dentKey:, 

Consider the sample code in Listing 3. Here, 
WeightsConvert tells the object controller that changes to 
keys srcValu, srcUnit and cnvUnit should cause a 
change to key convertWeight, Since convertWeight 
points to a routine, changes to any of the three keys will invoke 
die routine. 
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Listing 3. Registering the dependent key. 

- (void} initialize 
L 

NSArray *tKeys; 

// prepare the propertyOes).,. 

// 

tKeys " [NSArray arrayWithObjects:@"srcValu , \ ^''srcUnit" 

, @"cnvUnit"-, nil] j 
[self setReys:tKeys 

triggerChangeNotificationsFarDependentKey:@ ,( convertWeight"] : 

1 

Yet, the above method does not appear to work with the 
AppleScriptObjC bridge. Lt is possible that the bridge does not 
yet support this call. To work around tills shortcoming, we fall 
back to that old reliable: the action handler, 

Preparing the model 

Go to the WeightsConvert script class on the Xcode project 
window. Modify Its convertWeight handler as shown in 
Listing 4. The handler is now r an action handler, its argument 
aSrc pointing to the calling widget. As usual, it reads the 
key/value data from the bindDict property and invokes the 
required conversion handlers. But, instead of returning the 
conversion result, this action handler stores the result to the 
bindDict property under the key 'cnvValu'. 


Listing 4* The action handler. 

convertWeight_Q 

to convertWeight_(aSre) 

local tSrc, tCnv, tSru, tCnu 

— initialize the following locals 

set tSrc to valueFDrKey_( ,p srcValu") of bindDict as 

real 

set tSru to valueForKey_( M srcUnit") of bindDict as 

integer 

set tCnu to valueForKey_(“cnvllnit 1 ’) of bindDict as 

integer 

— identify the original weight unit 

— see the project For the complete code 

— return the conversion result 

tell bindDict to setValue_forKey„{tCnv, “cnvValu") 
end convertWeight_ 

Next, modify the initialize handler as shown in 
listing 5. The handler now stores four key/value pairs to the 
bindDict property, Save your changes when done. 

Listing 5- The modified handler. 

initializeQ 

to initialize(} 

local tKeys, tVal 

try 

— prepare the initial key/value data 

set tKeys to [“srcValu"* “srcUnit"* “cnvUnit". 

^cnvValu"I 

set tVal to 11, 0, 2, Q\ 
on error eMsg number eNum 
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local tErr 


set tErr to "Wei gilt sCou vert:initialize:error:" & 

eHsg 

log tErr 
end try 
end initialize 

Linking the action 

Switch to Interface Builder and select the bottom Text 
Field widget on the window layout. Then choose Bindings 
Inspector from the Tools menu. Change the Model Key Path 
field to 'bindDict *cnvValu'. The object controller will 
now update this widget with data held by the 1 cnvValu' key 
of the bindDict property. 

Next, select the WeightsConvert icon on the 
MainMenu. xib window. Choose Connections Inspector 
from tlie Tools menu. The inspector palette should show 
convertWeight as one of the actions. Drag a line from 
con vert Weight to the top Text Field widget. Do the 
same for the two Pop up Button widgets. Save your 
changes and switch back to Xcode. 

Second run 

Recompile the Weights project by choosing Build and Run 
from the Run menu. As before, Xcode launches the Weights 
binary after building it, and Weights displays its sole window. 
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Click on the second Pop Up Button widget and choose 
the menu item grammes. With the original weight value being 1 
and its unit being kilogramme. Weights should display the value 
1000 on the second Text Field widget. Try changing the 
other input values. Weights should still react to each change with 
the right conversion result. 

Concluding Remarks 

Bindings are another way to link application code objects 
with the user interface and with each other. They use key/value 
pairs to identify the links and predefined controllers to manage 
die links. Bindings help reduce the amount of coding needed 
and they help refactor the application code into distinct, 
manageable pieces. 

This ankle showed us how bindings can work with an 
AppleScriptObjC script object. We learned how to modify an 
existing ASOC project and how to assign key/value pairs to its 
interface widget. We learned how to bind an object controller to 
the user interface. We even learned how to work around a 
binding shortcoming. 

So ends today's coverage of AppleScriptObjC. Come back 
next time as we explore other relevant topics like data sourcing, 
browsing, input/output streams, and so on. 

Until then, I bid you good day. 
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Examining 3 Important 
Nmap Scans with WireShark 

Using WireShark to explain Nmap traffic 

Mihalis & Dimitris Tsoukalos\ 


Introduction 

In this article, you will learn how to interpret the traffic 
created by three popular Nmap scans—the TCP SYN scan, the 
Ping Scan and the UDP scan—using the WireShark network 
traffic analyzer. The required TCP/fP theory is also included. 

WireShark and Nmap were running on the same machine, 
an iMac, which makes the capturing process easier. You must 
remember, though, that WireShark can also analyze pre¬ 
captured traffic from many different sources and formats. 

The TCP Handshake 

IP protocol provides unreliable packet delivery to each 
packet’s destination IP address. Unreliable means that packets 
may not reach their destination because of transmission errors, 
network hardware failures, or when networks become 
congested and cannot accommodate the load presented. 
Networks may deliver packets out of order, deliver them after a 
substantial delay or deliver duplicates. 

TCP provides a connection oriented, reliable, byte stream 
service. It is a full duplex protocol, meaning that each TCP 
connection supports a pair of byte streams, one flowing in each 
direction. The term connection oriented means the two 
applications using TCP must establish a TCP connection with 
each other before exchanging any data. 

TCP assigns a sequence number to each byte transmitted, 
and expects a positive acknowledgment (AGO from the 
receiving TCP stack. If the ACK is not received within a timeout 
interval, the data is retransmitted as the original packet is 
considered undelivered. The receiving TCP stack uses the 
sequence numbers to rearrange the segments when they arrive 
out of order, and to eliminate duplicate segments, 

TCP header includes Source Port and Destination Port 
fields. These two fields plus the source and destination IP 
addresses are combined to uniquely identify each TCP 
connection. Ports help TCP/IP stacks in network connected 
devices (PCs, routers etc.) to distribute traffic among multiple 
programs executing on a single device. 


A TCP header also includes a 6-bit flags field that is used to 
relay control information between TCP peers. The passible flags 
include SYN. FIN, RESET, PUSH, URG. and ACK. SYN and ACK 
flags are used for the initial TCP 3-way handshake. The RESET 
flag signifies that the receiver wants to abort the connection. 

In Figure 1 we can see the 3-way handshake packet 
exchange, Initially Client sends a TCP SYN packet to Server. TCP 
header also includes a Sequence number field that has an 
arbitrary value in the SYN packet. 


Client 


Server 








a cY^ 






-y+i 


Figure 1: The TCP Handshake 


Server sends back a TCP (SYN, ACK] packet that includes 
the Sequence number of the opposite direction and an 
acknowledgement of the previous Sequence number. 

Finally, in order to truly establish the TCP connection, 
Client sends a TCP ACK packet in order to acknowledge the 
Sequence number of Server 

The ICMP Protocol 

To allow routers in a network to report errors or provide 
infonnation about unexpected circumstances, a special purpose 
message mechanism is included in TCP/IP protocol. Like all 
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other traffic, ICMP messages travel across a network in the data 
portion of IP packets. The ultimate destination of an ICMP 
message is not an application program or a user on the 
destination device but the Internet Protocol software on that 
device. That is, when an ICMP error message arrives, the ICMP 
software module handles it. Of course, if ICMP determines that 
a particular higher-level protocol or application program has 
caused a problem, it will inform the appropriate software 
module. 

The TCP/IP protocol provides facilities to help network 
managers or users identify network problems. One of the most 
frequently used debugging tools, ping, invokes the ICMP echo 
request and echo reply messages, A host or router sends an 
ICMP echo request message to a specified destination. Any 
machine that receives an echo request formulates an echo reply 
and returns it to the original sender. The request contains an 
optional data area; the reply contains a copy of the data sent in 
the request The echo request and associated reply can be used 
to test whether a destination is reachable and responding. 
Because both the request and reply travel in IP packets, 
successful receipt of a reply verifies that major pieces of the 
network work. First, IP software on the source computer must 
route the packet. Second, intermediate routers between the 
source and destination must be operating and must route the 
packet correctly. Third, the destination device must be running 
Cat least it must respond to interrupts), and both ICMP anti IP 
software must be working. Finally, all routers along the return 
path must have correct routes* 

THE UDP Protocol 

UDP uses the underlying IP protocol to transport a message 
from one machine to another, and provides the same unreliable, 
connectionless packet delivery as IP. It does not use 
acknowledgements to make sure messages arrive, it does not 
order incoming messages, and It does not provide feedback to 


control the rate at which information flows between the 
machines. Thus, UDP messages can be lost, duplicated, or arrive 
out of order. Furthermore, packets can arrive faster than the 
recipient can process them. It only adds the ability to distinguish 
among multiple destinations within a given device that uses 
source and destination ports fields in the UDP header 

Common network applications that use UDP include the 
Domain Name System (DNS), Trivial File Transfer Protocol 
(TFTP), real time streaming media applications such as IPTV, 
Voice over IP (VoIP), and many online games. 

The TCP SYN Scan Traffic 

For the purposes of this article part, a TCP SYN scan was 
run against a single network device. The output of the Nmap 
command (using administrator privileges) is the following: 

Monastery:Downloads mtsouk$ sudo nmap sS 192*168.1,1 

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-29 16:50 
EET 

Nmap scan report for 192.168.1,1 
Host ia up (0.0033s latency). 

Not shown: 997 closed ports 
PORT STATE SERVICE 
80/tcp open http 
808l/tcp open blackice Icecap 
8085/tep open unknown 

MAC Address: 00:1D:19:8C:EB:27 {Artadyan Technology) 

Nmap done: 1 IP address (1 boat up) scanned in 0,30 seconds 

The TCP SYN scan is a very popular scan as it shows the 
open TCP ports. For each port a service is presented. The key 
point here is to remember that the presented service has noL 
been tested and therefore you should not consider it 100% 
trustworthy. 

The Nmap output shows that the 192.168.1.1 device (that is 
an ADSL router) has three TCP ports open: 80, 8081 and 8085. 

So, we will start our WireShark analysis with the packets 
that Nmap exchanges with the target host (192,168.1,1) while 
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Figure 2: TCP SYN scan packets with WireShark 
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measure_roi = easy; 
contact_visitors = yes; 
real_time = of_course; 
try_visistat = free; 
setup = no_brainer; 


} 

else { 


no_clue = true; 
i_use_google = sorry; 


} 


//REAL-TIME WEBSITE TRACKING 
goto = www.visistat.com; 




Nmap runs on host with the 192.168.1.10 IP. Before starting the 
TCP port scan, Nmap does some initial tasks such as DNS 
reverse query of the target IP address that we can ignore for the 
purposes of this article. 

In Figure 2, we see that from packet 58 to packet 67 T Nmap 
starts the TCP SYN scan from source TCP port 47295 to TCP 
ports 111, 554, 23s, etc, In WireSharks main window, we do not 
see port numbers but their relevant service name according to 
standards (e,g. telnet for port 23 r HTTP for port 80). 

From packet 68 to packet 78 we see how the 192.168.LI 
target device responses to the packets that Nmap has already 
sent. Nmap has more packets to send but meanwhile the target 
device responses to the first group of packets. Most TCP 
destination ports that are not used in the target device reply with 
a [RSI 1 , ACK] packet. For example the reply to packet 63 (a scan 
to port 443) is packet 73. The most reasonable explanation for 
this is that the target device does not allow connections through 
secure http (https). 

But, we can also notice that the reply to TCP port 80 (HTTP 
or practically the Web GUI of the ADSL router) is a [SYN, ACK] 
packet. As we can recall from the Nmap output, tire http port is 
open. [ can assure you that the specific ADSL router has a Web 
GUI that listens to the standard TCP port 80. 

In Figure 3 we can see that Nmap continues the TCP port 
scanning testing other ports. Most ports reply with a [RST, ACK] 
packet except the ports that are open waiting for incoming 
connections. These ports, as the TCP 80 port that we saw above, 
reply with a [SYN, ACK] packet. 

The Ping Scan Traffic 

First of all, two essential informat ion about this part of the 
article: 


For security reasons, both the actual IP addresses and host 
names have been replaced in the Nmap output as well as in the 
WireShark output. 

If you execute a ping scan on a LAN, the process is different 
from the one presented here, LAN ping scans are executed using 
the ARP protocol and not the ICMP protocol presented here. 

The following nmap command scans 64 IP addresses, from 
5.5.18.1 to 5-5-18.64. The results show that at execution time 
only 13 hosts were up or, to be 100% precise, only 13 hosts 
answered the Nmap scan! 

Monastery^Downloads mtsoiik$ sudo nmap -sF 5.5,18.1 64 


Starting Nmap 5.21 ( http://nmap.org ) at 
EET 

Nmap scan report for ISP-0592,home.ISP,gr 
Host is up £0.0022s latency). 

Nmap scan report for ISP-0595.home,ISP,gr 
Host is up (0.028s latency). 

Nmap scan report for ISF*0597.home.ISF.gr 
Host is up (0,0273 latency). 

Nmap scan report for lSF-0599.home.ISP.gr 
Host is up [0.021s latency). 

Nmap scan report for ISF-0605.hoae.IEP.gr 
Host is up (0,060s latency), 

Nmap scan report for lSF-0610.home.lSF.gr 
Host is up [0.061s latency). 

Nmap scan report for ISP-0611.home.ISP.gr 
Host is up [0.019s latency). 

Nmap scan report for ISP 06l9.hame.ISP.gr 
Host is up (0.Q33s latency), 

Nmap scan report for ISF-06Zl.home,TSP.gr 
Host is up (0.018s latency). 

Nmap scan report for ISP-0625.home,ISP.gr 
Host is up (0.025s latency), 

Nmap scan report for 1SF-0629.home,ISP.gr 
Host is up (0.016s latency). 

Nmap scan report for ISP-0631.home.ISF.gr 
Host is up {0.018s latency). 

Nmap scan report for ISF'0633,home.ISF.gr 
Host is Up [0,050s latency), 

Nmap done: 64 IP addresses (13 hosts up) 
seconds 


2010-12-29 17:32 

(5.5.IS.20) 

[5.5.13.23} 

[5.5,18.25) 

(5.5,18.27) 

(5.5.18,33) 

(5.5.18.38) 

(5.5.18.39) 
(5,5.16,47) 
£5.5.13.49) 
(5-5.18.53) 
(5,5,18.57) 
(5.5,18,59) 
(5.5.18.61) 

scanned in 2,34 
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1360 

17.960795 

192.168.1,1 

192.166.1.10 

TCP 

63331 > 47295 [RST, ack] Seq=l Ack^l win=0 Len^O 


1331 

17.960797 

192.168,1.1 

192.168.1.10 

TCP 

49154 > 47295 [RSI, ACK] Seq=l Ack=l Win=Q Len=Q 


1332 17.960799 

192.168.1.1 

192,168.1.10 

TCP 

9099 > 47295 [RST, ACK] Seq-1 Ack-1 Wm=0 Len=Q 


1333 

17.960801 

192.168.1.1 

192.168.1.10 

TCP 

rmiregistry -- 47295 [RST. ACK] Seq=l Ack=l Win=Q Len=0 


1384 

17.960802 

192,168,1,1 

192.168,1,10 

TCP 

icp > 47295 [RST, ACK] Ssq=l Ack=l Win=0 Len=Q 


1385 

17.960804 

192.166,1.1 

192.163.1,10 

TCP 

32 > 47295 [RST, AOK] Seq-1 Ack=l Win=0 Len~0 


1 3Q6 17.960 806 

192.163,1,1 

192.163.1.10 

TCP 

tadlock2 > 47295 [RST, ACK] S*q=T Ack=l Wm=Q Len~& 


1387 

17.960808 

192.168.1.1 

192.168.1.10 

TCP 

storemgr > 47295 [RST, ack] Seq=l Ack=l win=0 i_en=G 


1388 17.960810 

192.168.1.1 

192.168.1.1Q 

TCP 

filefiet-pch > 47295 [RST, ACK] 5eq=l Atk-1 Win-0 Len^O 


1389 

17.960811 

192.168.1.1 

192,168,1.10 

TCP 

5962 > 47295 I RST, ACK] Seq = l Ack=l Win=0 Len=D 


1390 

17.962254 

192.163.1 .1 

192.168.1.10 

TCP 

devices > 47295 (R ST, ACK] Seq=l Ack=l Win=0 Lem=0 


1391 

17.962255 

192.168.1.1 

192.168.1.10 

TCP 

irdmi2 > 47295 [PST, ACK] Seq=l Ack=l Win=0 Len^O 


1392 

17.962257 

192.163.1.1 

192.16S.1.10 

TCP 

sd > 47295 [RST, ACK] Seq=l Ack=l Win=0 Len=0 


1393 

17.962259 

192.163.1.1 

192.163,1,10 

TCP 

10025 > 47295 [RST, ACK] Seq-1 Ack-1 Wm=0 Len=0 


1394 

17,962261 

192,168.1.1 

192,163.1.10 

TCP 

8O07 * 47295 [RET, ACK] Seq=l Ack=l Win=0 Lem=Q 


1395 

17,962263 

192,168,1.1 

192,168.1,10 

TCP 

14442 > 47295 [RST, ACK] Seq=l Ack=l Win=0 Len^Q 


1396 
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192,168.1.1 

192,168.1.10 

TCP 

amt-soap-http > 47295 [RST, ACK] Seq=l Ack~l Wrn=Q Len=Q 


1397 
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T :p 

fcp-addr-srvrl > 47295 [RST, ACK] Seq=l Ack=l Win=G Len=0 


1398 
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192.168.1.10 

TCP 

□spf-lite 47295 [RST, ACK] Seq-1 Atk=l Wm=0 Len=0 


1399 
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192.168.1.1 

192.168.1,10 

TCP 

ircu > 47295 [RST, ACK] Seq-1 Ack-1 Wiri^O Len=C 


i 1400 

17.966271 

192; 1210 

192,168,1,1 

TCP 

47295 -■ >:mpp- client [ETM] Seq=Q Win=4096 Len=0 HSS=146Q 



Figure 3: More packets from the TCP SYN scan 
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Figure 4: An Nmap ping scan starting with ICMP echo packets 


Monastery:Downloads mtsouk$ 

Nmap also calculates the round trip time delay (or latency). 
This gives a pretty accurate estimate of the time needed for the 
initial packet (sent by Nmap) to go to a target device plus the 
time that the response packet took to return to Nmap, 

Initially, Nmap sends an ICMP echo request to the specified 
hosts, it there is an ICMP echo reply then that host is considered 
up, In Figure 4, (following page) we see that packet 19 is the 
request to host 5,5,18.20 and there is a reply from this host in 
packet 23- So host 5.5,18,20 is considered up by Nmap and no 
additional tests are tried on this IP. 

The purpose of the Ping test is simply to find out if an IP 
address is responding or not. Nmap adds some intelligence to 
the standard ping (ICMP protocol) that we usually execute from 
our hosts by trying some common TCP ports in case the ICMP 
request receives no reply, as it can be seen in Figure 5, with 
hosts 5-5-18.52 and 5.5.18,39. Host 5.5.18.39 replies to the 


additional tests whereas 5.5.18.52 sends nothing. So Nmap 
considers host 5.5.18.39 up and host 5.5.18,52 probably down. 
What is important for Nmap in a ping scan is not the actual data 
of the received packets but the existence of a reply packet. 

The UDP Scan Traffic 

This part of the article will show lire Nmap attempt to 
identify the open [ DP ports of the 192.168.1.50 host: a Windows 
XP Service Pack 3 machine. Please notice that the XP machine 
runs a firewall. 

The executed Nmap command and the results are the 
following: 

sudo nmap -sU 192.168., 1.50 

Password: 

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-29 17:18 
EET 
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Figure 5: Nmap performing http and https requests 
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Figure 6: Nmap UDP port scanning 
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Figure 7: Packets at UDP port B7 
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■pie 1 iPhone 4 and iPod' 2 are mgr: 


Nutap scan report for 19 2.168.1,50 
Host is up (D*04ls latency). 

Not shown: 996 open|filtered ports 
PORT STATE SERVICE 
135/udp closed msrpc 
136/udp closed profile 
137/udp open nethios-ns 
139/udp closed netbios-s&n 

MAC Address: 0Q:26:82:2E:16:5B (Genttek Technology Co.) 

Nmap done: 1 IP address (1 host up) scanned in 14.20 seconds 

Nmap UDP port scanning starts by sending UDP packets 
with no additional data (a.k.a. empty UDP packet) to various 
ports. In Figure 6 we see dial the host sends an ICMP 
Destination unreachable for UDP at port 135. This means that 
the port is dosed and not filtered by any firewall. If there is no 
reply at all from the host for a given UDP port then the port is 
considered open but filtered. 

In Figure 7 we see that for UDP port 137 Cnetbios-ns) there 
is a reply that states that the host cannot understand the actual 
netbios packet, so the port Is definitely in use. 

Summary 

You should by now have a pretty good understanding of 
Nmap traffic. Feel free to analyze and explore other types of 
Nmap scans using WireShark in order to test and enhance your 
skills. 

WireShark is a valuable tool and using it can also be fun. 
More articles are coming in the WireShark series so keep 
creating network traffic! 

Web links and Bibliography 

WireShark site: http://www.wireshork.org/ 

Nmap site: http://www.nmop.org/ 

RFCs: http://www.ietf.org/rfc.hfnnl 
TCP tutorial: 

http://www,ssfneforg/Exchange/tcp/tcpTutorialNotes.html 
Internetworking with TCP/IP\ Volume I t Douglas E. Comer, 
Prentice Hall 
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MACTECH SPOTLIGHT 

Kirill Luzanov ||| j 

Binary Fruit M 

http;//\AW\AAdiskradancom*p> 

What do you do? 

I’m the founder of Binary Fruit, a software startup that I started 
in 2009. I write code and design UL I’m a professional 
software/system architect. Design is my hobby DiskRadar is currently 
main product. 


• , £.• -■ _ -p. y - ~ 

the’ application provides access to all sufficient hard 
drive/ diagnostic data m satisfy any system 
administrator or techie. 

Coolest Ever? 

"Active objects 5 ' powered mu Irithread ed template 
C+4 library. I wrote it in 2003 as part of labs 
automation software. As far as 1 know, software based 
on it is still working, for example, in Daimler AG 
research labs and many other places*^ 

Where can we see a sample of your work? 

wwwdiskro^ar.com 


How long have you been doing what you do? 

1 have started my career of software developer in 1997ras a SCO 
Unix developer. So T I have 14 years experience in IT already. Last 5 
years, before Binary Fruit, I worked as a chief software,/system 
architect. Binary Fruit is my first independent startup. 


The next way I'm going to impact 
the Mac universe is: 

Continue to improve DiskRadar. M^ke best-in- 
class software. 



What was your first computer? 

An H5M PS/2 with 286 processor at my school. The first computer 
that I owned was in 1996; a Pentium 100 MHz based PC with 16MB 
RAM and 1 GB Seagate HDD powered by Win95. They were 
wonderful, wonderful times.,, 0 

Are you Mac-only, or a multi-platform person? 

I feel at home both on OS X, Windows and Linux/lini s systi 

[I have started from MS DOS and Win3.ll at my school. Tin 
from 1995 - guess what/.. - yep - Win 95. In 1997 (as J said above), 
have started professional career as Unix developer. M\ first Linux 
installation was in 1998. Between 1999 and 2006 1 was a WinddBsT 
developer. My first real acquaintance with Macs was in 2006. Sojrl'r 
definitely a multi-platform person and I respect all platforms, Bijt 
the last few yea is. I'm using Macs 95% of the time. 

What is the advice you’d give to someone trying to gei 
line of work today? 

Think different and never stop believing 
stop—the road appears under your feet while waJ 

What T s the coolest tech thing youVe done using OS 

Undoubtedly DiskRadar! Tills project had a lot of both technical 
and design/UX challenges. 

Technical: modem drives contains terabyte of data in millions of 
files, so it is definitely not easy in few seconds to scan, aria!} 

and visualize ah this data on average comma_ 

tiling is disk health diagnostics, SjyUA.K.T. specificStfnh by itself if 
really not consistent, complex and poorly specified. 8o t it was not 
easy and very interesting to write disk health analysis and failure 
prediction routines that based on statistics, heuristics and fuzzy logic. 
Moreover - pure" S.MAR.T stuff is too complex for average users, so 
there was second challenge - UX and design of the disk health 
diagnostics stuff. I spent a lot effort in designing disk health 
infographics, and now I think DiskRadar is the most intuitive and 
user-friendly tool on the market Aid at the same time (important!) 
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Mac shopping made easy. 

Grab that to-do list, and prepare for some one-stop shopping at 
Smalldog.com! 

Bundles simplify the buying process 

Mac bundles (think Mac + RAM + AppleCare + external hard drive, etc.) 
not only include everything you need, but also save you money. 

Visit » Smalldog.com/speciaIs 


Macs from under $500 

We carry all current Macs as well as used, refurbished and closeout 
models, so there is a Mac for any budget. 

Visit » SmaIldog.com/macs 

Free shipping over $200 

It’s true-we provide free, same-day ground shipping on every item over 
$200 every day. 




Tax-free shopping 


Purchases outside of Vermont are 
always shipped tax-free. 
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www.smalldog.com 

800-511-MACS 

% Apple Specialist 
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Celebrating 15 Years ■ 3rd Largest Apple Specialist in New England • 5-Star Merchant Rating * Same-day shipping 
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